Fake Claude Search Results Deploy ClickFix Attack Against Mac Users

Mac users are being targeted through fake search engine results that impersonate Anthropic's Claude AI assistant, Malwarebytes researchers warned. The campaign employs the ClickFix social engineering technique, instructing victims to open Terminal and paste a base64‑encoded command — a delivery method increasingly favored by threat actors operating in the macOS ecosystem.

The attack unfolds when users searching for Claude download a counterfeit website that mimics the legitimate interface. Rather than providing an authentic installer, the page displays instructions to open Terminal and execute a command that decodes and runs malicious code directly on the system. This approach bypasses traditional malware delivery by turning the victim into the execution mechanism, exploiting trust in command-line workflows that power users and developers commonly rely on. The base64 encoding serves to obscure the payload from basic inspection, making casual review of the command ineffective at identifying the threat.

Security analysts note that ClickFix tactics have primarily targeted Windows environments, making this macOS campaign a notable shift in attacker strategy. The emergence of fake Claude search results signals that threat actors are expanding their social engineering repertoire to capitalise on growing demand for AI tools across platforms. macOS users, historically considered lower-risk due to smaller market share, face escalating pressure as attackers recognise the ecosystem's relative underinvestment in security tooling and user awareness. Organisations running Apple infrastructure should treat AI tool searches as a high-risk vector until search result verification processes improve and endpoint detection expands to cover these novel delivery chains.