Shared Claude Chats Meet ClickFix
Essential information
- Published
- 15/07/2026 18:14
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- claude platform abuse clickfix credential stealing cryptocurrency theft macos targeting macsync stealer malvertising shared chat abuse
- Related entities
- 200 indicators, 200 observables, 18 techniques (mitre), 1 malware
Description
A ClickFix campaign has been identified that abuses Anthropic's Claude platform through shareable chat links to distribute MacSync Stealer targeting macOS users. Attackers utilized malvertising with paid Google ads to direct victims searching for Claude-related terms to malicious shared Claude chats falsely labeled as 'Apple Support.' These chats contained obfuscated installation commands that, when executed, deployed a multi-stage infection chain. The malware steals credentials from browsers and password managers, cryptocurrency wallet data, sensitive files, and system information. The campaign ran from June 12-19, 2026, targeting primarily Mac users with Russian-language comments in the code suggesting Russian-speaking threat actors. Domains used adopted themes related to U.S. local services to appear legitimate.