Google AD for Claude leads to MacOS Malware Infection
*Warning: Some parts of the analysis below contain malicious links; do not visit them.
Searching for Claude Code in google provides a top result under the name “Install Claude Desktop – Terminal-Native AI Agent”

The Ad is attributed to the following:

The Advertiser appears to be under the name “Vig Viktoria Anita” in Spain and is funded by the business name “Black Lines Tattoo Studio”
What most likely happened here is that this legitimate vendor fell victim to a credential theft attack which compromised their Google Ads login. The attacker logged into the victim’s account and then locked them out and proceeded to create phishing campaigns under the name of the legitimate vendor. So, what we see is “Black Lines Tattoo Studio” creating malicious Ads whereas it is actually being created by the attacker.
Upon clicking on the Ad displayed in the Google search results, the user will be presented with this page:

Looking carefully at the link in the browser, this page is not actually from Claude’s legitimate download website, but rather a cloned page mimicking Claude’s download page.
When the user proceeds to click the “Download for macOS” button, they are presented with the following pop-up with instructions:

This pop-up is actually a kind of social engineering attack referred to as a “Click fix attack”. During a Click fix attack, the attacker tricks the user into copying and running malicious code on the user’s computer.
This Click Fix attack instructs the user to open a Terminal on the computer and copy and paste a few lines of code.
Below is the code:

The first part of the code just writes to the terminal “Downloading Claude: https://claude.ai/install.sh” which tricks the user into thinking something is being downloaded from the actual Claude website.
The next line is a silent curl command (Silent curl commands suppress progress meter) followed by an obfuscated shell command (The obfuscated command begins with “aHR0cHM...”) The obfuscated command is in base64, when decoded, the result is as below:

The domain above is listed under the threat category of Malware within the Cisco Talos Domain reputation lookup database.

This domain is registered under the name “Jack Tucker” in Seychelles. This actor’s email address is associated with the domain “--marshier.-com” which is a disposable email domain, used to create short-lived email addresses for anonymous registrations. The name is most likely a cover for the actual threat actor.
Seychelles is known for its corporate privacy and confidentiality offerings. The threat actor might have used an offshore domain hosting provider located in Seychelles to conceal their true identity.
Once the command is run, the malware downloads to the device and prompts the user for credentials:

The malware then asks for access to finder:

And then the malware asks for access to files and folders on the computer

Below is a Wireshark capture of the network traffic:

The traffic capture shows communication with the previously mentioned domain “suzke” as well as two other domains “dedelk” and “rapid-craft567”.
Dedelk is also classified as a malware in the Cisco Talos database.

There is no Registrant information, but the Registrar is under the name “CNOBIN INFORMATION TECHNOLOGY LIMITED” with a contact number with a country code of 852, which belongs to Hong Kong.
The second domain “rapid-craft567” is not classified as malware and is listed as Neutral in the Cisco Talos database.

However, the domain Registrar is also under the name “CNOBIN INFORMATION TECHNOLOGY LIMITED”
We can conclude that this malware could be classified as an infostealer tied to China. The data does not give clear evidence as to which particular threat group.
References:
Malware-Traffic-Analysis.net - 2026-05-11: Google ad for Claude leads to macOS malware infection