Hackers Abuse Google Ads & Claude.ai Chats to Spread Mac Malware

A sophisticated malvertising campaign is leveraging Google Ads and the public chat‑sharing feature of Anthropic’s Claude.ai to distribute a macOS backdoor. Victims who search for "Claude mac download" are presented with a sponsored link that points to a look‑alike domain (e.g., claude‑ai.info) mimicking the genuine Claude.ai landing page. The ad exploits Google’s geo‑targeting and time‑limited redirects, displaying the malicious page only to users in the United States and United Kingdom, which helps the operation evade automated review systems.

The malware arrives as a trojanized DMG installer that contains a Mach‑O executable signed with an ad‑hoc certificate to bypass Gatekeeper’s notarization checks. Upon execution, the binary drops a launch agent named “com.claude.update” that ensures persistence across reboots. The backdoor opens a reverse HTTPS shell to a command‑and‑control (C2) server hosted at 185.220.101.34, where it exfiltrates browser cookies, Keychain credentials, and cryptocurrency wallet data using a custom AES‑256‑encrypted payload. Researchers at SentinelOne have labeled this campaign “Operation Claymore” and have documented the C2 IP, associated domains, and the malicious DMG hash (SHA‑256: 3f8c2a…).

In parallel, the threat actors abuse Claude.ai’s shared‑chat URLs to embed shortened links (e.g., via bit.ly) that point directly to the malware host. By creating public conversation threads titled “Claude for Mac – Free Download,” they trick users into clicking the link, which triggers an automatic download of the infected DMG. The social‑engineering lure is reinforced with instructions that mimic the official install flow, making it difficult for casual users to distinguish the counterfeit site from the legitimate one.

Security teams are advised to monitor for outbound connections to the identified C2 IP, enforce strict Gatekeeper policies, and block domain look‑alikes associated with the campaign. Organizations should also disable automatic execution of DMG files from untrusted sources and educate users about verifying URLs before downloading software. The Indicators of Compromise (IOCs), including the malicious domain list and file hashes, have been shared on the SentinelOne blog and can be imported into SIEM or EDR platforms for immediate detection.