Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign
Cybercriminals hijacked Google Ads searches for AI developer tools, redirecting over 2,000 victims to fake download pages via claude.ai shared chat links.
Cybercriminals hijacked Google Ads searches for popular AI developer tools to funnel over 2,000 victims toward malicious download pages before quietly moving their operation onto claude.ai's own platform, turning the trusted domain into a delivery mechanism for credential-stealing malware.
The campaign, detailed by Trend Micro researchers, began with malvertising: threat actors purchased Google Ads targeting developers searching for tools like Cursor, Windsurf, and Lovable. When users clicked these ads, they were redirected through a chain of intermediary domains to fake download pages mimicking the legitimate software sites. These pages hosted information-stealing malware designed to harvest credentials, session tokens, and other sensitive data.
What sets this campaign apart is the attackers' pivot to abusing claude.ai's shared chat feature. After the initial malvertising phase, the threat actors began hosting malicious redirects within shared chat links on Anthropic's Claude platform. Because claude.ai is a widely trusted domain, these links bypassed many security filters and URL scanners that would typically flag suspicious destinations. Victims who clicked the shared chat links were redirected to the same fake download pages, extending the campaign's reach and stealth.
The abuse of legitimate AI platforms for malware delivery marks a significant evolution in social engineering tactics. By leveraging claude.ai's reputation, the attackers effectively weaponized trust in a popular AI service. Trend Micro reported that over 2,000 victims were redirected during the campaign, with the malware primarily targeting credentials for developer tools, cloud services, and corporate accounts.
This incident is part of a broader trend of threat actors exploiting AI brand recognition and platform features. Similar campaigns have abused ChatGPT branding in phishing lures and SEO poisoning attacks. The use of claude.ai's shared chat feature specifically represents a novel vector, as it allows attackers to host malicious content on a domain that security tools are unlikely to block.
Mitigation recommendations include implementing strict ad-blocking policies, using URL reputation services that can detect redirect chains, and training developers to verify download sources directly from official vendor sites rather than through search ads or shared links. Organizations should also monitor for unusual outbound traffic to claude.ai shared chat URLs followed by connections to unknown domains.
The campaign underscores the dual-use risk of AI platforms: while they enable productivity and collaboration, their trusted status can be exploited for sophisticated social engineering. As AI tools become more integrated into developer workflows, security teams must adapt defenses to account for abuse of these legitimate services.