'This marks a sophisticated evolution': Experts warn Claude feature was hijacked by hackers to launch major malware campaign

Trend Micro discovered that criminals were abusing Claude’s Shared Chats feature to spread information stealers through ClickFix and malvertising.
Fake Apple support chats on claude.ai, promoted via Google Ads, tricked macOS developers into pasting malicious commands
Anthropic banned the accounts and disabled malicious conversations, promising more abuse mitigations.

Trend Micro security researchers have detected that criminals are abusing a legitimate Claude AI feature to trick software developers into downloading malware. The campaign also includes malvertising as well as the proven ClickFix method.

The goal of the campaign is to infect software developers, primarily those who create artificial intelligence tools in the macOS environment, with information thieves.

Apparently, targets in Russian-speaking countries are spared, while the majority of victims are in Taiwan (30% of all trafficking). This country is followed by Japan, Singapore and the United States.

Banned fraudulent accounts

At the center of the attack is a feature called “Shared Claude Chats,” which allows users to create clickable links from previous conversations they have had with the AI. These chats can then be shared with other people via a public URL. The criminals created conversations that displayed fake Apple support instructing the user how to install Claude Code (a command-line coding assistant).

However, the instructions are nothing more than the standard ClickFix scam: they tell the user to open Terminal and paste a command, which sets off a chain reaction that results in an information-stealing infection.

The second step is to advertise these URLs to the appropriate target audience, which was done through Google Ads. The bad actors were able to purchase ads on the Google network and set them up so that anyone searching for “Claude Code on Mac” (or similar keywords) would be shown these URLs as the first result.

Since the sites are hosted on the claude.ai domain, there was nothing apparently suspicious about the links.

Trend Micro is not the first company to warn about this campaign. In mid-May of this year, security researcher Berk Albayrak posted a new warning on LinkedIn, detailing a nearly identical campaign. Same approach, same objectives and, most importantly, same exclusions.

Investigators say Anthropic investigated and banned the responsible accounts and disabled malicious conversation sharing. The AI company is reportedly “implementing additional abuse mitigations.”