Attackers Abuse Google Ads and Claude.ai Conversations to Deliver macOS Malware to Developers

Researchers have identified a macOS malware delivery campaign that abuses two distinct distribution vectors — Google Ads impersonating developer tools, and shared Claude.ai conversation links — to deliver an infostealer payload targeting developers. The campaign represents an evolution of the MacSync malvertising operation covered in early May, with the addition of an AI platform abuse vector.

Distribution Vectors

Google Ads malvertising continues the approach seen in the earlier MacSync campaign: paid search advertisements impersonating legitimate macOS developer utilities, design tools, and productivity software appear above organic search results. Clicking the ad redirects to a convincing lookalike site hosting a signed DMG file. The DMG installs what appears to be the legitimate application while dropping the infostealer payload.

Claude.ai conversation abuse is the novel element. Attackers are sending developer targets social engineering messages that include a link to a Claude.ai shared conversation — a feature that allows published AI conversations to be viewed by anyone with the link. The shared conversation appears to contain technical discussion (code review, tooling advice, framework documentation) and embeds a link to an “example repository” or “reference implementation” that is actually a download link for the malicious DMG. Because the hosting domain is claude.ai and the link arrives within what appears to be a legitimate technical conversation, standard URL reputation filters do not flag it as malicious at delivery time.

Anthropic was notified prior to publication; the specific malicious shared conversations identified in the research were removed. The platform feature enabling public conversation sharing remains functional.

Payload Analysis

The delivered payload is an updated variant of the MacSync infostealer, repackaged with new components that evade XProtect signatures active in macOS Sequoia (15.x). Post-installation capabilities include:

• Browser credential extraction (Safari, Chrome, Firefox, Arc)
• macOS Keychain access via user-context API calls
• SSH key and AWS/GCP/Azure credential theft from developer home directories
• Crypto wallet seed phrase extraction from common wallet applications
• Screen capture and clipboard monitoring

The malware communicates with a command-and-control domain over HTTPS using certificate-pinned connections to evade SSL inspection.

Defensive Guidance

For macOS users and administrators:

1. Enable Gatekeeper and do not override it. If a DMG downloaded from a browser or link presents a “this developer is not trusted” Gatekeeper warning, do not override it. Legitimate commercial software is notarised by Apple. Gatekeeper overriding is the primary installation mechanism for this malware.

2. Treat links embedded in shared AI conversations as external URLs. The domain being claude.ai does not guarantee the content of that conversation or the URLs it contains. Apply the same scrutiny to links in AI conversations as you would to links in emails.

3. Developer workstations should have endpoint protection active. macOS endpoint security tools with behavioural detection, not only signature scanning, are necessary to catch infostealer activity that evades XProtect.

4. Block Google Ads results for developer tool searches via DNS or browser extension. Developer malvertising consistently exploits the fact that developers search for software utilities using generic search terms where malicious ads can appear above legitimate results.

5. Rotate credentials regularly on development machines — particularly SSH keys, cloud provider credentials, and API keys stored in developer home directories. Assume that credentials stored on any macOS workstation that lacks robust endpoint protection may have been exposed.