Mac users beware — scammers are hijacking Claude chats and Google ads to push malware

News
By published

Fake Claude support pages are circulating

Illustration of a hooked email hovering over a mobile phone
(Image credit: Getty Images)
  • Crooks abused Claude’s “Shared Chats” feature to plant fake install instructions leading to infostealer infections
  • Fraudulent chats were promoted via Google Ads, showing authentic Claude URLs to trick Mac users
  • Campaign used ClickFix tactics, spoofed “Apple Support,” and avoided targeting Russian‑language systems

Cybercriminals are abusing legitimate Claude and Google Ads services to trick Mac users into installing infostealing malware on their devices, experts have warned.

A new campaign was recently spotted, and disclosed, by security researcher Berk Albayrak on LinkedIn, concerning a feature called “Shared Claude Chats”, which allows users to create clickable links of previous conversations they’ve had with the AI. That way, other people can view those specific chat sessions through a public URL.

According to Albayrak, the hackers have created conversations in which the platform shows instructions on how to install Claude Code (a command-line coding assistant). However, the instructions are nothing but the standard ClickFix scam - they tell the user to bring up the Terminal and paste a command, which triggers a chain reaction resulting in an infostealer infection.

Latest Videos From

Advertising the scam on Google

The conversation was created by an account named “Apple Support”, likely to increase its legitimacy. Those with a shaper eye, however, could easily spot the trick, since the chat has a disclaimer at the top, warning the content below might be “unverified or unsafe”.

But creating the fraudulent conversation is just half the process - victims must still somehow land there.

That’s where Google Ads come in. The crooks were able to purchase ads on Google’s advertising network, meaning people searching for “Claude Code on Mac” would be served this chat at the very top of the search engine results page. To make matters worse, those who would hover over the link or double-check where it leads, would see “claude.ai” - the authentic Claude URL.

Albayrak did not say how many people might have been compromised this way, but BleepingComputer found the malware does not work on computers with Russian language, suggesting that the miscreants are actively avoiding targeting Russians.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.