Bybit Uncovers macOS Malware Targeting Users Searching for Claude Code

The Bybit Security Operations Center disclosed a sophisticated malware campaign targeting macOS users searching for Claude Code, . The operation used search engine optimization poisoning to push a malicious domain to the top of search results, redirecting users to a fake installation page.

The malware executed a two-stage attack that harvested credentials, targeted cryptocurrency wallets, and maintained persistent access to infected systems. The first stage delivered a Mach-O dropper using an osascript-based infostealer similar to AMOS and Banshee variants. It extracted browser data, macOS Keychain entries, Telegram sessions, and wallet information from over 250 browser and desktop wallet applications.

A second-stage payload introduced a C++ backdoor capable of sandbox detection and encrypted configuration management. It used HTTP polling for remote command execution and persistence through system-level agents. Attackers also used fake macOS password prompts and trojanized versions of legitimate wallet applications such as Ledger Live and Trezor Suite.

Bybit reported that its AI-assisted workflows accelerated malware analysis, reducing deep inspection time from several hours to under 40 minutes. Automated extraction pipelines identified indicators of compromise and enabled same-day deployment of detection rules. The malicious infrastructure was identified on March 12, with full mitigation completed within the same day.