Fake AI Agent Downloads Spread Mac Infostealers via Google Ads and Claude Chats
Attackers are targeting macOS users with fake AI tool downloads promoted through Google Ads and public Claude.ai shared chats. Victims searching for terms such as “Claude mac download” are shown sponsored results that appear to reference the legitimate claude.ai domain, but the links redirect to shared chats containing bogus installation instructions. The lures present themselves as official guidance for running Claude-related tools on Mac, sometimes even masquerading as Apple Support content, and tell users to paste commands into Terminal that instead fetch and execute malware.
Researchers said the campaign is active and uses rotating malicious chat pages and infrastructure to evade disruption. Observed payloads include Mac-focused infostealers with behavior consistent with AMOS and Amatera/MacSync-style theft, including collection of browser credentials, cookies, and Keychain data. The activity reflects a broader trend of threat actors disguising malware as AI agents and developer tools to exploit demand for generative AI software on macOS systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Push Security identifies LLMShare campaign abusing ChatGPT share links
Push Security identified a malware campaign dubbed LLMShare that used sponsored Google ads and legitimate ChatGPT share links on OpenAI domains to funnel users to a fake download site at openew[.]app. The campaign delivered infostealer malware to Windows and macOS users, including Odyssey Stealer on macOS, while using trusted domains and anti-analysis checks to evade detection.
SANS analyzes fake Claude page linked to possible ACR Stealer infection
SANS ISC documented a fake Claude download page discovered via malicious Google ads that tailored infection instructions by operating system and, in the analyzed case, delivered a Windows infection chain. The activity was observed on 2026-05-25 and involved fairpoint29.com, a ZIP from primemetricsa.com, a PowerShell script from a creativecommunityinfo.art subdomain, and post-infection traffic suggesting ACR Stealer.
Researcher identifies Google Ads and Claude chat malware campaign targeting Mac users
Security researcher Berk Albayrak identified an active campaign in which attackers used sponsored Google search results and public Claude.ai shared chats to trick Mac users into pasting malicious Terminal commands. The commands downloaded malware with MacSync-style infostealer behavior, including theft of browser credentials, cookies, and Keychain data.
Kaspersky reports AMOS and Amatera disguised as AI agents
Kaspersky published research on infostealers including Atomic macOS Stealer (AMOS) and Amatera being distributed under the guise of AI-related tools or agents, documenting the broader malware trend targeting users seeking AI software.
Pillar documents fake Claude Code pages delivering Amatera stealer
Pillar published research describing fake Claude Code pages used to distribute the Amatera infostealer to macOS users. The report identified a specific lure theme centered on Claude Code, adding technical detail on how Amatera was being delivered.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Weaponized ChatGPT Download Site Delivers Malware Via Sponsored Search Results
cybersecuritynews.com
Open sourceAttackers use ChatGPT feature to spread malware | brief | SC Media
scworld.com
Open sourceAttackers Abuse ChatGPT Share Links to Host Fake Outage Pages That Deliver Malware - gHacks Tech News
ghacks.net
Open sourceLLMShare: using shared chatbot pages to distribute malware
pushsecurity.com
Open sourceHackers are now using ChatGPT share links to deliver malware - Neowin
neowin.net
Open sourcePossible ACR Stealer From Page Impersonating Claude
isc.sans.edu
Open sourceHackers Abuse Google Ads and Claude.ai Chats to Spread Mac Malware - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceAMOS and Amatera disguised as AI agents | Kaspersky official blog
kaspersky.co.uk
Open sourceInstallFix: Fake Claude Code Pages Deliver Amatera Stealer
pillar.security
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
Apr 1, 2026
ClickFix Campaign Abuses Claude Artifacts and Google Ads to Deliver macOS Infostealers
Threat actors are running a **ClickFix**-style social-engineering campaign that abuses **Google sponsored search results** to funnel macOS users to malicious content hosted on legitimate platforms, including **Anthropic Claude public artifacts** (`claude.ai`) and **Medium** pages impersonating trusted sources (e.g., Apple Support). The lures target common search queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew,” then instruct victims to paste and run Terminal commands that decode/execute payloads (e.g., `echo "..." | base64 -D | zsh` or `curl ... | zsh`). Researchers (Moonlock Lab/MacPaw and AdGuard) reported that the malicious Claude artifact accumulated **~12,300 to 15,600 views**, indicating significant exposure (reported as **10,000+** and **15,000+** potential victims across coverage). The payloads deliver macOS information-stealing malware, including **MacSync**, which collects data such as **Keychain credentials, browser data, and cryptocurrency wallet files**. Reported tradecraft includes downloading and executing a shell script, using an AppleScript component for theft, staging stolen data into `/tmp/osalogging.zip`, and exfiltrating via HTTP POST to attacker infrastructure (e.g., `a2abotnet[.]com/gate`, with C2 paths like `a2abotnet[.]com/dynamic`). The malware attempts to blend in by spoofing legitimate macOS browser User-Agent strings and includes retry logic for large/chunked uploads, then removes staging artifacts to reduce forensic traces.
May 17, 2026
Malware Campaigns Leveraging AI Chat Platforms for Credential and Crypto Theft
Threat actors have launched sophisticated malware campaigns that exploit legitimate AI chat platforms, such as ChatGPT and Grok, to deliver malicious code to unsuspecting users. By using SEO poisoning and sponsored Google search results, attackers redirect users searching for common macOS troubleshooting tips to fake shared chat links on these AI platforms. These chats appear to offer helpful system instructions but actually embed obfuscated, base64-encoded commands that, when executed, install multi-stage malware. The infection process often involves social engineering tactics, such as prompting users to enter their system password under the guise of credential verification, which is then used to escalate privileges and deploy the main malware payload. Security researchers have identified the malware as variants of information stealers, including Shamus and AMOS, which are capable of stealing credentials and cryptocurrency, and employ advanced evasion techniques like multi-layered encoding and custom decoders to avoid detection. This attack method is particularly effective because it leverages the inherent trust users place in well-known AI brands and their official domains, bypassing traditional safety checks. The campaigns highlight a growing trend in cybercrime where legitimate AI tools are weaponized to facilitate malware delivery, making detection and prevention more challenging. Security analysts emphasize the need for increased vigilance when interacting with AI-generated content, especially when prompted to execute system commands, and recommend enhanced monitoring for suspicious activity originating from AI platform interactions.
Mar 21, 2026