Bybit, the world’s second-largest cryptocurrency exchange by trading volume, says its Security Operations Center (SOC) disclosed findings detailing a sophisticated, multi-stage malware campaign targeting macOS users searching for “Claude Code,” an AI-powered development tool from Anthropic.
The report marks one of the first known disclosures by a centralized crypto exchange (CEX) of an active threat campaign targeting developers via AI tool discovery channels. First identified in March, the campaign uses search engine optimization (SEO) poisoning to elevate a malicious domain to the top of Google search results.
Users are redirected to a spoofed installation page designed to closely resemble legitimate documentation, triggering a two-stage attack chain focused on credential harvesting, crypto asset targeting, and persistent system access. The investigation also revealed social engineering tactics, including fake macOS password prompts used to validate and cache user credentials. In some cases, attackers attempted to replace legitimate crypto wallet applications such as Ledger Live and Trezor Suite with trojanized versions hosted on malicious infrastructure.
The malware targeted a wide range of environments, including Chromium-based browsers, Firefox variants, Safari data, Apple Notes, and local file directories commonly used to store sensitive financial or authentication data.
Bybit identified multiple domains and command-and-control endpoints associated with the campaign, all of which have been defanged for public disclosure. Analysis indicates that attackers relied on intermittent HTTP polling rather than persistent connections, making detection more challenging.
Bybit confirmed that the malicious infrastructure was identified on March 12, with full analysis, mitigation, and detection measures completed within the same day. Public disclosure followed on March 20, alongside detailed detection guidance.
Fighting malware on macOS involves relying on built-in tools like XProtect and Gatekeeper, supplemented by targeted scans if necessary. Key actions include enabling system security settings, updating macOS, removing suspicious profiles, and using reputable scanners like Malwarebytes for Mac if needed
I hope you’ll help support Apple World Today by becoming a patron. Almost all our income is from Patreon support and sponsored posts. Patreon pricing ranges from $2 to $10 a month. Thanks in advance for your support.
Also, check out my daughter-in-law’s “Scattered Words” website if you’re interested in unique, handcrafted jewelry made out of an array of vintage dictionaries, books, and even a few antiques.
