{“lastseen”:”2026-05-12T18:05:08″,”description”:”Researchers found that cybercriminals are using sponsored search results and shared Claude chats to lure victims into a typical ClickFix attack to install malware on macOS devices.\\n\\nClickFix is a social engineering method that tricks users into infecting their own device with malware. Users are instructed to run specific commands that will download malware, usually an infostealer.\\n\\nThe researchers found that when users search for terms like \u201cClaude Mac download,\u201d they may see sponsored Google results that appear to go to the legitimate claude.ai domain.\\n\\nIn reality, the ads resolve to real Claude shared chats, set up to look like official \u201cClaude Code on Mac\u201d or Apple Support guides. Independent research by BleepingComputer found another chat serving the same purpose. The chat instructs victims to open Terminal and paste a base64\u2011encoded command, which pulls a loader shell script from attacker\u2011controlled infrastructure and runs it in memory.\\n\\nThe script then profiles the system, pulls down a second-stage payload and runs it through osascript, macOS’s built-in scripting engine. This gives the attacker remote code execution (RCE) without ever dropping a traditional application or binary.\\n\\nThis results in a MacSync\u2011style payload that harvests browser credentials, cookies, Keychain contents, and crypto wallet data, bundles it, and sends all that information over HTTP to attacker servers.\\n\\n## How to stay safe\\n\\nUsers running macOS Tahoe 26.4 and later will see warnings about possible ClickFix attacks, but other users still have to rely on common sense.\\n\\nWith ClickFix running rampant and inventing new methods all the time, it\u2019s important to stay aware, cautious, and protected.\\n\\n * **Slow down.** Don\u2019t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy and paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.\\n * **Avoid running commands or scripts from untrusted sources.** Never run code or commands copied from websites, emails, or messages unless you trust the source and understand what the action does. \\n * **Verify instructions independently.** If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.\\n * **Limit copy and paste for commands.** Manually typing commands instead of copy and paste can reduce the risk of unknowingly running malicious payloads hidden in copied text.\\n * **Secure your devices.** Use an up-to-date, real-time anti-malware solution with web protection. Malwarebytes blocks connections to unsafe sites like these. \\n\\n * **Educate yourself on evolving attack techniques.** Understanding that attacks may come from unexpected places helps maintain vigilance. Keep reading our blog!\\n * **Stay away from sponsored ads in search results.** Anyone can buy them and make them look legitimate.\\n\\n\\n\\n**Pro tip:** The free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard.\\n\\n* * *\\n\\n**Stop threats before they can do any harm.**\\n\\nMalwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser \u2192”,”published”:”2026-05-12T15:46:55″,”modified”:”2026-05-12T15:46:55″,”type”:”malwarebytes”,”title”:”Fake Claude search results lure Mac users into ClickFix attack”,”source”:””,”references”:””,”id”:”MALWAREBYTES:4A75C7E75226E5CC7526911F535E64FB”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/05\/fake-claude-search-results-lure-mac-users-into-clickfix-attack”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-12T18:05:08″,”description”:”Researchers found that cybercriminals are using sponsored search results and shared Claude chats to lure victims into a typical ClickFix attack to install malware on…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-53689","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n