Hackers Use Google Ads and Shared Claude Chats to Spread MacSync Stealer on Macs
Hackers used paid Google search ads and shared Claude chats to distribute MacSync Stealer, an information-stealing malware that targets macOS. The campaign directed people searching for Claude software to instructions that told them to infect their own Macs through Terminal.
The attack did not exploit a vulnerability in Claude or compromise Anthropic’s systems. Instead, the attackers abused Claude’s legitimate sharing feature to host malicious instructions on the trusted claude.ai domain, according to an investigation by Zscaler Threat Hunting.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The malware can steal Keychain files, browser credentials, authentication cookies, cryptocurrency wallet data, developer credentials, Telegram files, and sensitive documents. It also attempts to capture the victim’s macOS password through a deceptive system prompt.
How the MacSync Stealer attack begins
The infection starts when a Mac user searches Google for phrases related to downloading Claude. Zscaler observed ads targeting searches such as “claude,” “claude ai,” “claude code,” “claude mac,” and “claude code desktop mac.”
Clicking the sponsored result takes the user to a publicly shared Claude conversation. Because the page appears on the legitimate claude.ai domain, it may look safer than an unfamiliar download website.
The attackers reportedly set their Claude display name to “Apple Support.” As a result, the shared page displayed a “Shared by Apple Support” label even though Apple had no connection to the conversation.
| Attack stage | What happens |
|---|---|
| Malicious Google ad | A sponsored result appears for a Claude-related search. |
| Shared Claude chat | The ad directs the user to malicious instructions hosted on claude.ai. |
| Fake support guidance | The conversation claims to provide installation or troubleshooting steps. |
| Terminal command | The user is told to paste an encoded command into macOS Terminal. |
| MacSync deployment | The command downloads and runs several stages of the information stealer. |
| Data theft | Credentials, files, wallet data, and system information are collected and uploaded. |
Fake Claude instructions use the ClickFix technique
The shared conversation tells the victim to copy an encoded command and paste it into Terminal. This social-engineering method is commonly called ClickFix because attackers present a command as a quick installation step or solution to a fabricated problem.
The command contains an encoded address for an attacker-controlled server. Once the user runs it, a shell script downloads another script, hides visible output, and retrieves the main MacSync Stealer component.
The final AppleScript payload runs through macOS tools already present on the system. This approach helps the malware avoid a conventional application download and reduces the number of files left on disk during execution.
- The user runs the command shown in the shared Claude chat.
- The command retrieves and decodes an initial shell script.
- A second-stage script suppresses Terminal output.
- The script downloads the MacSync AppleScript payload.
- The malware requests additional access and displays a fake password prompt.
- Stolen data is collected in a temporary directory and compressed.
- The archive is uploaded to an attacker-controlled server in 10MB chunks.
- The malware deletes the temporary archive and some working files.
MacSync targets passwords, wallets, and developer data
MacSync tries to access protected browser and user directories. If it cannot reach the required data, it may modify the user’s shell configuration to run the downloader again whenever Terminal opens. It can also display instructions asking the victim to grant Full Disk Access.
The malware then presents a fake system dialog designed to capture the Mac login password. It combines that password with device information and the victim’s username before collecting other valuable data.
Its targets extend beyond ordinary browser passwords. The campaign also threatens developers and cryptocurrency users because it searches for cloud credentials, SSH keys, Kubernetes configurations, wallet extensions, and related desktop applications.
| Data category | Examples targeted by MacSync |
|---|---|
| macOS credentials | Keychain databases and the password entered into a fake prompt |
| Browser data | Cookies, saved logins, browsing databases, and session information |
| Password managers | Local data belonging to supported password-manager extensions |
| Developer credentials | SSH keys, AWS files, Kubernetes configurations, shell history, and Git settings |
| Cryptocurrency data | Wallet extensions, wallet files, and data associated with Ledger and Trezor software |
| Personal files | Telegram data and documents with extensions including PDF, wallet, and KDBX |
Campaign used 22 Google Ads campaign IDs
Zscaler observed the campaign between June 12 and June 19, 2026. Its telemetry identified 22 unique advertising campaign IDs and seven Claude-related search terms, including one Chinese-language variation.
The malicious infrastructure used domain names that resembled ordinary US businesses, including flooring installers, pet sitters, home inspectors, plumbers, and other local services. These names had no clear connection to Claude or software downloads.

The full Zscaler MacSync report also identified Russian-language comments in the AppleScript code. Researchers said these comments suggest that the operator or malware developer likely speaks Russian, although the evidence does not establish a specific identity or group.
Claude was not compromised
Anthropic’s service acted as a trusted hosting location for attacker-written content. Any user who can create and share a Claude conversation may make that page publicly accessible, which allowed the campaign to place fake support instructions on a legitimate domain.
Zscaler notified Anthropic about the abuse. The malicious shared conversations were no longer accessible when Zscaler published its findings on July 15, 2026. No evidence indicates that attackers breached Claude accounts, altered the Claude model, or compromised Anthropic’s infrastructure.
Anthropic’s official Claude Desktop instructions tell Mac users to visit the Claude downloads page, select the macOS version, open the downloaded installer, and launch Claude from the Applications folder. They do not require users to paste an encoded command from a shared chat into Terminal.
Google Ads rules prohibit malware distribution
The ads gave attackers a prominent position in Google results and allowed them to target people who already intended to install Claude. The legitimate claude.ai destination also made the ads appear more credible than promotions leading directly to an unknown domain.
Google’s malicious software policy prohibits ads and destinations that intentionally distribute malware or attempt to gain unauthorized access to a computer. The existence of the campaign shows that malicious advertisers can still evade checks long enough to reach potential victims.
Google had not published a campaign-specific response in the sources reviewed at the time of writing. Zscaler’s report says the observed ad links consistently originated from Google but does not state how many users clicked them or became infected.
How Mac users can avoid MacSync Stealer
The safest response is to avoid Terminal commands supplied through advertisements, shared conversations, comments, pop-ups, or unfamiliar websites. Terminal commands can download and execute software with the same permissions as the user, even when the visible instruction looks like a normal installation step.
- Download Claude only by following the official Claude installation guide.
- Do not trust a search result only because it appears as a sponsored listing.
- Never paste an encoded or unexplained command into Terminal.
- Check the advertiser, destination, and official vendor website before downloading software.
- Do not enter a Mac password into an unexpected prompt.
- Review Full Disk Access permissions in macOS Privacy & Security settings.
- Change exposed passwords and revoke active sessions if you ran a suspicious command.
- Rotate SSH keys, cloud credentials, and cryptocurrency wallet secrets when exposure is possible.
Users can also report suspicious sponsored listings that violate the Google Ads malware rules. Organizations should consider blocking newly registered domains, monitoring shell activity, and alerting when Terminal launches scripts downloaded from the internet.
FAQ
MacSync Stealer is information-stealing malware for macOS. It can collect passwords, browser data, Keychain files, developer credentials, cryptocurrency wallet information, Telegram files, and personal documents.
No evidence indicates that Claude or Anthropic was compromised. Attackers created shared Claude conversations containing malicious instructions and used the legitimate sharing feature to make those instructions appear trustworthy.
The Google ads directed users to shared Claude chats that instructed them to paste an encoded command into Terminal. Running the command downloaded and executed multiple stages of MacSync Stealer.
The reported infection chain required the victim to copy and run a command in Terminal. Simply opening the shared conversation was not described as enough to install the malware.
It targets macOS Keychain files, browser cookies and logins, password-manager extensions, SSH keys, AWS credentials, Kubernetes configurations, cryptocurrency wallets, Telegram data, and selected documents.
Disconnect the Mac from the network, preserve the command for investigation, scan the device, review shell configuration files and Full Disk Access permissions, and change sensitive credentials from a clean device. Developers should rotate SSH, cloud, and Kubernetes credentials, while cryptocurrency users should move funds to a new secure wallet if wallet secrets may have been exposed.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages