2026-05-11 (MONDAY): GOOGLE AD FOR CLAUDE LEADS TO MACOS MALWARE INFECTION

NOTICE:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

ASSOCIATED FILES:

• 2026-05-11-IOCs-for-macOS-malware-infection.txt.zip   1.9 kB   (1,884 bytes)
• 2026-05-11-macOS-malware-infection-traffic.pcap.zip   17.8 MB   (17,805,524 bytes)
• 2026-05-11-files-from-macOS-malware-infection.zip   1.3 MB   (2,328,112 bytes)

 

IMAGES

Shown above: Google ad in results from a search for Homebrew.

 

Shown above: Advertiser from the malicious ad.

 

Shown above: Oage impersonating a site to download Claude.

 

Shown above: ClickFix-style instructions from malicious page impersonating site to download Claude.

 

Shown above: Command copied from the page and pasted into a terminal window.

 

Shown above: During the infection, the malware asks for the user's password.

 

Shown above: The malware also asks for access to Finder.

 

Shown above: The malware also asks for access to various folders from the user.

 

Shown above: Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.