Hackers abuse Claude.ai shared chats to spread ClickFix instructions and MacSync malware
9 min. read 
Published on
Hackers abused Claude.ai shared chat links to host ClickFix social engineering instructions that tricked macOS users into running malicious Terminal commands. The campaign used Google Ads, fake AI tool download pages, and trusted Claude.ai URLs to deliver the MacSync infostealer.
Trend Micro said its TrendAI Research team tracked 106 unique malicious hostnames across six attack waves over seven weeks. The attackers impersonated popular AI developer tools, including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The campaign did not exploit a vulnerability in Claude. It abused a legitimate sharing feature and relied on users copying and running commands themselves, which makes ClickFix attacks harder for traditional defenses to stop.
What happened in the Claude.ai ClickFix campaign?
The attackers first used GitLab Pages to host fake download and setup pages. Trend Micro said the campaign used 92 unique malicious hostnames under GitLab Pages before moving some activity to Claude.ai shared chats.
The lure worked because victims were already searching for AI developer tools. A sponsored result could send them to a page that looked like a setup guide, support chat, or official installation walkthrough.
In later waves, victims landed on real Claude.ai shared chat URLs. Those shared chats displayed fake support-style instructions and told users to open Terminal, paste a command, and run it to install or fix software.
| Campaign element | How attackers used it |
|---|---|
| Google Ads | Targeted users searching for AI developer tools |
| GitLab Pages | Hosted early fake download pages under trusted-looking subdomains |
| Claude.ai shared chats | Hosted fake support conversations on a legitimate Claude domain |
| ClickFix commands | Tricked users into manually executing malicious Terminal commands |
| MacSync | Collected credentials, cookies, SSH keys, and cryptocurrency wallet data |
Why Claude shared chats made the attack more convincing
Claude shared chats are designed for legitimate collaboration. The Claude Help Center says users can create shareable snapshots of conversations that anyone with the link can view.
That feature created a trust advantage for attackers. A victim checking the address bar would see a real claude.ai URL, not an unknown malware domain or an obvious typo-squatted page.
The malicious shared chats reportedly impersonated Apple Support or developer teams. They presented command-line steps as routine setup instructions, which can look normal to developers and macOS power users.
How ClickFix turns users into the execution step
ClickFix attacks do not always need a browser exploit or infected attachment. They convince users to run a command under the pretext of fixing an issue, installing software, or completing a setup process.
Malwarebytes reported a similar Claude-themed campaign in May 2026. In that case, sponsored search results led users to Claude shared chats that instructed them to paste a base64-encoded command into Terminal.
Once the command ran, it pulled a loader script from attacker-controlled infrastructure. That script profiled the system, fetched another payload, and used macOS scripting tools to continue execution.
- The victim searches for an AI tool or setup guide.
- A sponsored result leads to a fake page or shared Claude chat.
- The page shows convincing installation or support instructions.
- The victim copies and runs a Terminal command.
- The command downloads a second-stage payload.
- The malware steals data and sends it to attacker-controlled servers.
MacSync targets valuable macOS data
The campaign delivered MacSync, a macOS infostealer focused on credentials and developer-adjacent data. It can collect browser credentials, cookies, SSH keys, Keychain-related data, and cryptocurrency wallet information.
The Hacker News previously reported that MacSync campaigns used fake AI tool installers and Terminal commands to infect macOS users. Those campaigns targeted users of AI and developer tools because their devices often store high-value credentials.
Trend Micro also said the malware checked for Russian keyboard layouts, which likely acts as an avoidance mechanism for systems in Russia or nearby regions.
| Data at risk | Why attackers want it |
|---|---|
| Browser cookies | Can help attackers hijack active sessions |
| Saved credentials | Can support account takeover and lateral movement |
| SSH keys | Can expose servers, repositories, and developer environments |
| Crypto wallet data | Can lead directly to financial theft |
| System details | Can help attackers choose follow-up payloads |
Asia-Pacific users saw the heaviest targeting
Trend Micro’s report said the Asia-Pacific region accounted for 67.2% of confirmed victims. Taiwan alone represented 30.5% of total traffic, followed by heavy activity in Japan and Singapore.
Later waves expanded to countries including India, France, and Italy. That shift suggests the attackers kept testing ad targeting, lure themes, and infrastructure to improve conversion.
The campaign also focused on technically skilled users. Developers are more likely to recognize command-line installation patterns, but that familiarity can also make malicious instructions feel routine.
Microsoft has warned about similar macOS ClickFix activity
Microsoft warned in May that ClickFix-style macOS campaigns were using fake utility and troubleshooting pages to deliver infostealers. The company said attackers were taking advantage of users looking for macOS help and asking them to run commands from user-generated or blog-style pages.
Microsoft also noted that scripts launched directly through Terminal may not face the same checks as normal application bundles opened through Finder. That gives attackers a way to reduce reliance on traditional app delivery.
This explains why ClickFix has become popular. It uses normal user actions, trusted platforms, and command-line tools that may not trigger the same warnings as a downloaded app.
Why shared platform abuse is hard to block
Blocking unknown domains helps with many malware campaigns, but it is less effective when attackers host instructions on trusted platforms. Claude.ai, GitLab Pages, Medium, Squarespace, and similar services can all host legitimate content and malicious instructions.
The Claude sharing guide explains that users can unshare chat snapshots and manage previously shared chats. That helps legitimate users, but platform providers still need abuse detection for shared content that instructs viewers to run dangerous commands.
Security teams should treat public shared chats and user-generated setup guides as untrusted unless they come from an official vendor channel.
- A real domain does not guarantee safe content.
- Sponsored search results can lead to malicious instructions.
- Shared chats can impersonate official support or setup guides.
- Terminal commands can bypass many normal download warnings.
- Developers may be more likely to trust command-line installation steps.
What users should do to stay safe
Users should avoid installing AI tools from sponsored search results, shared chats, or public setup guides. Official installers and instructions should come from the product vendor’s main website or documentation.
Malwarebytes’ guidance also stresses that users should slow down when a webpage asks them to run commands. That is especially important when the page creates urgency or claims that the command will fix a setup problem.
macOS users should treat base64-encoded commands, curl-to-shell commands, osascript calls, and unfamiliar shell pipelines as high risk unless they fully understand the command and trust the source.
What organizations should monitor
Organizations should monitor macOS endpoints for suspicious Terminal activity after browser sessions. Useful signals include bash, zsh, curl, osascript, base64 decoding, and unusual network connections from scripting processes.
Microsoft’s analysis recommends focusing on the behavior of these campaigns, including script execution, data staging, persistence, and exfiltration. This matters because domains and payloads can change quickly.
Security awareness training should also include ClickFix examples. Employees should learn that a polished support page or a real shared chat link can still contain harmful instructions.
| Detection area | Signal to investigate |
|---|---|
| Browser to Terminal flow | Terminal commands shortly after visits to ads, shared chats, or setup guides |
| Encoded commands | base64 decoding followed by curl, bash, zsh, or osascript |
| Credential access | Attempts to read browser profiles, cookies, SSH keys, or wallet files |
| Network activity | Script interpreters connecting to unfamiliar domains |
| User reports | Questions about AI tool ads, Claude Code setup chats, or strange support pages |
The broader ClickFix trend is still growing
ClickFix and related InstallFix campaigns have become common because they exploit user trust rather than a single software bug. They work especially well against users who expect to run technical commands during software installation.
Earlier reporting showed that similar campaigns used ChatGPT conversations, fake AI tool installers, and malicious ads to spread MacSync and other stealers. The Claude.ai shared chat activity shows the same tactic moving across trusted AI platforms.
The main lesson is simple. Users should judge the instruction, not only the domain. A trusted site can host untrusted user-generated content, and a legitimate-looking command can still install malware.
Bottom line
The Claude.ai shared chat campaign shows how attackers can turn trusted AI platforms into social engineering surfaces. They do not need to break into Claude if they can create a public shared chat and drive victims to it through ads.
For users, the highest-risk moment is any page that asks them to copy and paste a command into Terminal. For organizations, the priority is to detect unusual shell activity, educate employees, and reduce reliance on users spotting every fake setup page.
AI tool users, developers, and macOS users should use official download pages, avoid sponsored installation links, and never run commands from public shared chats unless they can verify every part of the command.
FAQ
No. The campaign abused Claude.ai shared chat links to host social engineering instructions. It did not require a breach of Claude or Anthropic.
A ClickFix attack tricks users into fixing a fake problem by copying and running a command. The command usually downloads or runs malware while appearing to install software, solve an error, or complete setup.
The campaign delivered MacSync, a macOS infostealer that can collect browser credentials, cookies, SSH keys, Keychain-related data, cryptocurrency wallet data, and other sensitive information.
Attackers used Claude.ai shared chats because the links appear on a real and trusted Claude domain. That made fake setup instructions look more credible and reduced obvious domain-based warning signs.
Users should avoid installing software from sponsored search results or shared chats, verify setup instructions on official vendor websites, and never paste unknown commands into Terminal.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages