Hackers abuse Google ads, Claude.ai chats to push Mac malware

TL;DR

Attackers are exploiting Google Ads and legitimate Claude.ai shared chat features to deliver Mac malware to users searching for "Claude mac download". This malvertising campaign bypasses traditional ad-blocking and URL inspection by routing victims through official Claude.ai chat pages before redirecting to malicious downloads, making it particularly dangerous for users who trust the Claude platform.

What Happened

A sophisticated malvertising campaign is actively targeting Mac users searching for Claude desktop software, abusing both Google Ads and legitimate Claude.ai shared chat links to distribute malware. The attack chain begins when users search for "Claude mac download" on Google and click a sponsored result that displays claude.ai as the target website — but instead of leading to Anthropic's official download page, the ad redirects through a shared chat on Claude.ai itself before landing on a malicious site hosting fake installer files.

Key Facts

• The campaign was first reported by BleepingComputer on Sunday, May 10, 2026, based on analysis of active malvertising infrastructure.
• Attackers are purchasing Google Ads that display claude.ai as the destination URL in the ad copy, but use cloaking techniques to redirect users to Claude.ai shared chat pages.
• The malicious shared chats on Claude.ai contain instructions and links that ultimately lead to fake macOS installer files hosted on attacker-controlled domains.
• Victims who download and run the fake installer are infected with info-stealing malware designed to exfiltrate browser credentials, cryptocurrency wallets, and other sensitive data.
• The campaign specifically targets Mac users — a demographic less accustomed to malware threats — by using Apple-style installer interfaces to appear legitimate.
• Google's ad review system failed to detect the cloaking, as the ads initially show the legitimate claude.ai URL before being redirected through the shared chat chain.
• Anthropic's Claude.ai platform is being unwittingly used as an intermediary, with the shared chat feature — designed for collaboration — repurposed as a trust-building redirect step.

Breaking It Down

This attack is notable not for the novelty of malvertising, but for the specific exploitation of Claude.ai's shared chat feature as a trust signal. In typical malvertising campaigns, attackers use URL shorteners or redirect chains that security tools can flag. By routing victims through an official Anthropic domain — specifically a shared chat page on claude.ai — the attack gains a veneer of legitimacy that bypasses both automated security scanners and human suspicion.

100% of the redirect chain appears to involve a legitimate, high-trust domain (claude.ai) before the malicious payload is delivered.

The shared chat feature on Claude.ai is designed to let users publish and share conversations publicly. Attackers are creating chats that appear to be helpful guides for downloading the Claude desktop app, complete with step-by-step instructions that include links to what looks like an official download mirror. In reality, those links point to attacker-controlled servers hosting fake .dmg files that, when mounted and run, execute malware rather than installing the legitimate Claude for Mac application.

Google's ad platform plays a critical role here. The sponsored search results show claude.ai as the visible destination, passing Google's ad review because the initial click does land on Claude.ai. The cloaking mechanism — which detects whether the visitor is a Google crawler or a real user — only activates the redirect chain for human traffic. This technique has been used for years against Google Ads but remains effective because Google's review systems rely on automated crawlers that don't trigger the redirect.

The malware itself appears to be a variant of known Mac info-stealers that target Keychain data, browser cookies, cryptocurrency wallet files, and saved passwords. Unlike Windows malware ecosystems, Mac-specific malware campaigns are less common but often more effective because Mac users have lower security vigilance — many still believe macOS is immune to malware.

What Comes Next

1. Google will likely purge these ads within 24–48 hours once the campaign is publicly documented, but attackers will pivot to new search terms and ad accounts. Expect variations targeting "Claude desktop download", "Claude AI Mac installer", and similar long-tail queries.

2. Anthropic will need to implement abuse detection on shared chats — likely adding automated scanning for links that redirect to download pages, or requiring link previews to verify destinations before the chat is published. This may reduce the utility of the shared chat feature for legitimate users.

3. Apple may issue a security advisory urging Mac users to only download software from the App Store or directly from developer websites, and could update Gatekeeper or XProtect to block the identified malware signatures.

4. Security researchers will monitor for copycat campaigns using the same technique against other popular AI tools — expect similar attacks targeting ChatGPT desktop downloads, Midjourney installers, or Copilot for Mac searches in the coming weeks.

The Bigger Picture

This campaign sits at the intersection of AI platform abuse and malvertising evolution. As AI tools like Claude, ChatGPT, and Gemini become essential productivity software, attackers are shifting from targeting generic "free download" searches to specific brand-related queries. The use of Claude.ai's shared chat feature as a redirect node represents a new class of "trust proxy" attacks — where legitimate features of trusted platforms are weaponized against their own users.

The broader trend is supply chain poisoning through advertising platforms. Google Ads, Microsoft Ads, and social media ad networks remain the most effective initial access vectors for malware distribution because they exploit user trust in search results. Despite years of abuse, ad platforms still fail to adequately vet sponsored content, particularly when attackers use multi-step redirect chains that only activate for real users.

Mac-specific targeting also reflects a strategic shift. With Windows users increasingly protected by Microsoft Defender and enterprise security tools, attackers are investing in macOS malware that faces less competition and encounters users with weaker security postures. This campaign, combined with recent Atomic Stealer and RealStealer variants for macOS, suggests a sustained investment in Mac-targeted malware infrastructure.

Key Takeaways

• [Google Ads Abuse]: Attackers are using cloaked Google Ads that display claude.ai as the destination but redirect through Claude.ai shared chats to malicious download sites.
• [Claude.ai as Intermediary]: Anthropic's shared chat feature is being exploited as a trust-building step in the attack chain, making the redirect appear legitimate to users.
• [Mac Users Targeted]: The campaign specifically targets Mac users with fake macOS installer files, exploiting the perception that Macs are immune to malware.
• [Info-Stealing Payload]: Victims who run the fake installer are infected with malware designed to steal browser credentials, cryptocurrency wallets, and Keychain data.