Back

Bybit Exposes Multi-Stage Malware Targeting Claude Code Users

Severity: High (Score: 67.5)

Sources: Prnewswire, Cryptonews, Techflowpost

Summary

Bybit's Security Operations Center (SOC) reported a sophisticated malware campaign targeting macOS users searching for 'Claude Code,' an AI development tool from Anthropic. The campaign, first identified in March 2026, employed SEO poisoning to redirect users to a malicious installation page resembling legitimate documentation. The attack involved a two-stage malware chain, with the initial payload delivered via a Mach-O dropper, deploying an osascript-based infostealer that extracted sensitive data such as browser credentials and cryptocurrency wallet information. The second-stage payload introduced a C++ backdoor with advanced evasion techniques, allowing persistent access and remote command execution. Bybit's SOC utilized AI-assisted workflows to expedite malware analysis and detection, achieving significant reductions in response times. The campaign targeted over 250 browser wallet extensions and multiple desktop wallet applications, highlighting the threat to developers in the cryptocurrency sector. Key Points: • Bybit identified a malware campaign targeting macOS users searching for Claude Code. • The attack used SEO poisoning to redirect users to malicious installation pages. • The malware chain involved credential harvesting and persistent access through advanced techniques.

Key Entities

  • Malware (attack_type)
  • Trojan (attack_type)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • Financial (industry)
  • AMOS (malware)
  • Banshee (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.005 - Visual Basic (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Chromium-based Browsers (platform)
  • Firefox (platform)
  • Ledger Live (platform)
  • MacOS (platform)
  • Safari (platform)
  • Claude Code (tool)
  • Mach-O Dropper (tool)
  • Osascript (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed