- Trend Micro found criminals abusing Claude’s “Shared Chats” feature to spread info stealers via ClickFix and malvertising
- Fake Apple Support chats on claude.ai, promoted through Google Ads, tricked macOS developers into inserting malicious commands
- Anthropic banned accounts and disabled malicious conversations and promised further abuse mitigation
Security researchers Trend Micro have discovered criminals abusing a legitimate feature in Claude AI to trick software developers into downloading malware. The campaign also includes malvertising, as well as the proven ClickFix method.
The goal of the campaign is to infect software developers – primarily those who build AI tools on the macOS environment – with infostealers.
Targets from Russian-speaking countries are spared, it seems, while the majority of victims are located in Taiwan (30% of all traffic). This country is followed by Japan, Singapore and the United States.
Scam accounts prohibited
At the heart of the attack is a feature called “Shared Claude Chats,” which allows users to create clickable links to previous conversations they’ve had with the AI. These chats can then be shared with other people via a public URL. Crooks created chats showing fake Apple support instructing the user how to install Claude Code (a command line coding assistant).
However, the instructions are nothing more than standard ClickFix scams – they tell the user to download the Terminal and enter a command which triggers a chain reaction resulting in an infostealer infection.
The second step is to advertise these URLs to the right target audience, which was done via Google Ads. The criminals were able to buy ads on Google’s network and set them up so that anyone searching for “Claude Code on Mac” (or similar keywords) would see those URLs as the first result.
Since the pages are hosted on the claude.ai domain, there was nothing apparently suspicious about the links.
Trend Micro is not the first company to warn about this campaign. In mid-May of this year, security researcher Berk Albayrak posted a new warning on LinkedIn that describes an almost identical campaign. Same approach, same goal and most importantly – same exclusions.
The researchers say Anthropic investigated and banned the responsible accounts and disabled the malicious shared conversations. The AI company is “implementing additional abuse mitigation”.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
