Hackers Abuse Claude.ai Shared Chat for Feature Host

Trusted artificial intelligence (AI) platforms are increasingly becoming a vector for sophisticated social engineering attacks. Hackers, for instance, recently abused Claude.ai’s shared chat feature to host malicious ClickFix instructions in a new campaign.

According to TrendAI Research, attackers deployed 106 unique malicious hostnames across six campaign waves within seven weeks, continuously rotating infrastructure and testing different AI-themed lures to maximize effectiveness.

The operation marks a significant evolution in ClickFix tactics, shifting from traditional malicious hosting to trusted platforms like Claude.ai.

The campaign initially relied on GitLab Pages, using over 90 malicious subdomains hosted under the trusted *. gitlab.io domain.

These pages impersonated popular AI developer tools, including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains.

By leveraging Google Ads, threat actors targeted users actively searching for these tools, increasing the likelihood of interaction from technically skilled individuals.

ClickFix attacks rely on tricking users into manually executing malicious commands. In this campaign, victims were instructed to copy and paste terminal or PowerShell commands under the pretense of installing or fixing software.

Claude Shared Chats Abused for ClickFix Attacks

This technique bypasses many traditional security controls because the user unknowingly executes the payload. The campaign escalated significantly in May 2026, when attackers pivoted to abusing Claude.ai’s shared chat feature.

Instead of directing victims to suspicious domains, malicious ads redirected users to legitimate Claude.ai shared chat URLs. These pages appeared trustworthy, effectively bypassing browser warnings, URL inspection, and Safe Browsing protections.

Once on the page, victims encountered fake support conversations impersonating entities such as Apple Support or development teams.

These chats provided step-by-step instructions for opening a terminal and executing a command. The command typically included a base64-encoded script that, once decoded, fetched a second-stage payload.

Analysis revealed that the payload delivered the MacSync infostealer, which targets macOS systems. The malware collects browser credentials, cookies, SSH keys, and cryptocurrency wallet data, then exfiltrates them to attacker-controlled servers.

Notably, the malware includes a check for Russian keyboard layouts, likely to avoid infecting systems in CIS regions.

The campaign’s geographic targeting was heavily concentrated in the Asia-Pacific region, which accounted for over 67 percent of victims.

Taiwan alone represented more than 30 percent of observed traffic, followed by Japan and Singapore. Later waves expanded targeting to countries including India, France, and Italy, indicating ongoing optimization of ad targeting strategies.

TrendAI researchers observed at least 45 malicious Claude.ai shared chat instances in early stages, increasing to over 60 in later waves.

This shift to trusted infrastructure removes many traditional detection signals, leaving user awareness as the primary defense.

Following responsible disclosure, Anthropic took action by banning the malicious accounts, removing harmful shared chats, and implementing additional safeguards to prevent abuse of the feature.

Security experts warn that this campaign highlights a broader trend where attackers weaponize legitimate platforms to evade detection. As AI tools become more embedded in developer workflows, such abuse is expected to increase.

Organizations are advised to educate users about ClickFix-style attacks, monitor unusual command execution, and deploy endpoint detection solutions.

Users should avoid installing software via search ads, verify URLs carefully, and never execute commands from untrusted sources.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.