Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign
Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign
TrendAI™ Research monitoring found weekly campaigns since April 8, with each week introducing new pages, keyword, and geographic targeting.
Wave 1: initial wave (April 8–13)
753 traffic hits and 18 hostnames
The campaign launched with claude-code-app.gitlab[.]io as the primary lure (486 traffic counts), supported by claudeapp.gitlab[.]io. Simultaneously, Mac utility-themed lures (mac-clean-storage.gitlab[.]io, mac-guide-tool.gitlab[.]io) were also found to have been deployed, suggesting the same actor operated parallel campaigns.
A single Google Ads campaign ID (23736589328) drove the majority of the traffic, heavily targeting Taiwan (194 traffic counts), Malaysia (36), and Japan (34). This wave achieved the highest daily peak of the entire campaign at 192 traffic counts on April 10.
Wave 2: diversification (April 14–21)
246 traffic hits and 23 hostnames
In Wave 2, new Claude-themed variants appeared under gitlab.io domain (claude-tool-app, claud-desktop-app, claudesktop, claude-desktop-apps) alongside expanded Mac utility lures (macsupp-group, macsupp-usb, jetbrains-apps-group). The introduction of “jetbrains” as a lure theme indicates deliberate targeting of professional software developers.
Wave 3: peak infrastructure (April 22–28)
652 traffic hits and 28 hostnames
This wave introduced perplexity-platform.gitlab.io (33 traffic counts) and chatgpt-codex.gitlab[.]io (12 traffic counts), expanding brand impersonation beyond Claude to other AI platforms. The domains claude-desktop-lm.gitlab[.]io (203 traffic counts) and cladesktop.gitlab[.]io (135 traffic counts) were also created and received more traffic, which suggests that more people are searching for Claude-related keywords compared to Perplexity or ChatGPT.
Wave 4: ChatGPT and Codex pivot (April 29–May 5)
248 traffic hits and 26 hostnames
The operators pivoted significantly toward ChatGPT and Codex branding with codexgpt.gitlab[.]io (43 traffic counts), chatgpt-codex-app.gitlab[.]io (23 traffic counts), and chatgpt-codex-lm.gitlab[.]io (20 traffic counts).
Meanwhile, the Claude-themed attacks continued with claudecode-desktop.gitlab[.]io (112 traffic counts) and claudecode-download.gitlab[.]io (19 traffic counts).
Wave 5: claude.ai platform abuse (May 6–14)
294 traffic hits; shifted to claude.ai
In this wave, the campaign moved from self-hosted GitLab Pages to abusing claude.ai’s legitimate shared chat feature. The attackers created weaponized “shared chats” on claude.ai (at least 45 unique share IDs observed) and ran Google Ads pointing directly to these URLs. The majority of the traffic in this wave was attributed to claude.ai’s shared chat feature (289 traffic hits).
This represents a significant escalation: victims now landed on claude.ai itself—a fully legitimate, trusted domain—making the attack virtually indistinguishable from genuine content.
The geographic targeting broadened in this wave, with victims who fell for the social engineering campaign coming from Singapore (43), Taiwan (35), India (23), Italy (21), and France (20).
Wave 6: The complete shift to claude.ai’s shared chat feature (May 21–June 14)
337 traffic hits; all observed activity occurred within claude.ai shared chat feature
In this wave, the campaign fully abused the claude.ai’s legitimate shared chat feature. Atleast 61 unique shared IDs and 33 new Google campaign IDs were discovered in this wave.
This shift is particularly dangerous because every traditional defensive signal collapses: there is no suspicious domain to flag, no typographical errors for filters to catch, and no low-reputation host for security tools to block. The lure now lives on the same trusted infrastructure as the legitimate product, leaving defenders with no automated control to fall back on except end-user vigilance as the last and often least reliable barrier.
About Author
