Information security specialists have uncovered a novel technique for compromising devices running macOS. Cybercriminals are leveraging deceptive advertisements within the Google search engine that mimic links to the official Claude.ai website for the popular chatbot. However, instead of reaching the expected chatbot interface, visitors are directed to a page displaying a pre-scripted conversation. This dialogue is framed as coming from Apple support and instructs the user on installing the Claude Code application on their Mac.
As part of these directions, the user is prompted to open the “Terminal” application and execute a specific command. Carrying out this action results in the download of malware onto the computer, classified as a data stealer known as MacSync, according to a report by Ferra.ru.
This malicious software is engineered to pilfer sensitive data, including login credentials, stored session files (cookies), and the contents of the macOS keychain. All exfiltrated information is subsequently transmitted to remote servers under the control of the attackers.
The research team identified two distinct fake conversations hosted on the Claude.ai platform. Each of these featured download links pointing to different variants of the malware. Notably, both of these malicious sites were freely accessible to the general public.
About the Author
