216.73.216.204

Shared Claude Chats Meet ClickFix

· Published 15/07/2026 18:14

Export JSON

Essential information

Published
15/07/2026 18:14
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
claude platform abuse clickfix credential stealing cryptocurrency theft macos targeting macsync stealer malvertising shared chat abuse
Related entities
200 indicators, 200 observables, 18 techniques (mitre), 1 malware

Description

A campaign has been identified that abuses Anthropic's Claude platform through shareable chat links to distribute targeting macOS users. Attackers utilized with paid Google ads to direct victims searching for Claude-related terms to malicious shared Claude chats falsely labeled as 'Apple Support.' These chats contained obfuscated installation commands that, when executed, deployed a multi-stage infection chain. The malware steals credentials from browsers and password managers, cryptocurrency wallet data, sensitive files, and system information. The campaign ran from June 12-19, 2026, targeting primarily Mac users with Russian-language comments in the code suggesting Russian-speaking threat actors. Domains used adopted themes related to U.S. local services to appear legitimate.

External references