Exploiting Trust: How Malvertisers Leveraged GitLab and Claude.ai for In-Memory RAT Deployment

A highly sophisticated malvertising and social engineering campaign has recently emerged, showcasing a tactical pivot from weaponized GitLab Pages to the abuse of Claude.ai’s shared chat functionality. This campaign enables threat actors to deliver a stealthy, in-memory Remote Access Trojan (RAT) via a specialized loader chain utilizing China-themed naming conventions.

Over a seven-week observation period (April 8 – June 14, 2026), security researchers identified 106 unique malicious hostnames distributed across six distinct attack waves. The campaign was characterized by rapid infrastructure rotation and iterative A/B testing of lures, specifically targeting high-intent keywords related to AI developer tooling.

The attack vector utilizes a multi-layered approach: paid search malvertising, the exploitation of high-reputation “trusted hosts,” and the “ClickFix” social engineering technique, which tricks users into executing malicious code via manual copy-paste commands.

Using Google Ads, attackers targeted technically proficient users searching for industry-leading AI tools. The ads impersonated legitimate brands such as Claude, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Instead of directing users to malicious domains, the ads pointed to legitimate GitLab Pages subdomains or, in later iterations, to authentic claude.ai/share/ URLs.

By hosting content on high-reputation platforms like gitlab.io and claude.ai, the operators successfully bypassed traditional domain-based reputation filters and browser heuristics. Because the landing pages were hosted on legitimate, properly certified domains, standard URL-filtering and SSL/TLS certificate inspections failed to provide any meaningful indicators of compromise (IoC).

Initial attack waves utilized 92 malicious GitLab Pages hostnames designed to mimic software download portals. These pages presented victims with “ClickFix” instructions—a social engineering tactic that prompts the user to open a terminal (PowerShell or Terminal) and paste a specific command string.

According to TrendAI™ Research, the command executed by the user fetches and runs a multi-stage loader from an external command-and-control (C2) server. While the loader chain incorporates a China-themed motif in its nomenclature, forensic analysis suggests its primary objective is the deployment of an in-memory RAT, specifically designed to avoid leaving a permanent footprint on the local disk.

The China-Themed Loader Chain and In-Memory Execution

The core strength of this loader lies in its ability to decrypt and execute the RAT entirely within the system’s volatile memory (RAM). By avoiding disk-resident payloads, the attackers significantly reduce the forensic trail and complicate detection for traditional Endpoint Protection Platforms (EPP) that rely heavily on file-based signature scanning.

A notable escalation in the campaign’s sophistication was the weaponization of the Claude.ai “Share” feature. TrendAI™ documented at least 61 unique shared conversation IDs and multiple Google Ads campaign IDs that linked directly to claude.ai/share/<uuid>. This tactic effectively neutralized defenses that flag low-reputation domains or certificate anomalies, as the malicious instructions were hosted directly on Anthropic’s infrastructure.

These shared chats often adopted the persona of trusted support entities, such as “Apple Support” or “Corda Team.” They presented curated instructions—typically a single curl command piped through a base64 decoder—which, when executed, retrieved the primary loader script.

Upon execution, the script performs environmental reconnaissance, including a notable check to exclude systems with Russian keyboard layouts. If the system meets the attacker’s criteria, the script retrieves and executes a MacSync infostealer variant before pivoting to the final in-memory RAT stage. The campaign also utilized dual-use infrastructure to host various Mac utility scams, demonstrating a diversified approach to maximize victim conversion rates.

Geographically, the campaign shows a heavy concentration in the Asia-Pacific region, which accounted for approximately 67% of all confirmed victims. Taiwan, in particular, represented a significant portion of the traffic at roughly 30.5%. This high density suggests highly optimized geo-targeting within the Google Ads platform.

Throughout the seven-week period, operators utilized performance telemetry to refine their lures, gradually expanding their targeting to include Singapore, India, and various European nations. Following notification of the abuse, Anthropic took action to remove the malicious shared conversations, ban the associated accounts, and harden their shared-chat mitigation protocols.

Defensive Recommendations:
To mitigate the risk of similar “ClickFix” and malvertising attacks, organizations should consider the following:

• Implement strict policies against the execution of copy-pasted shell commands from untrusted web sources.
• Enhance endpoint visibility to include script-blocking and real-time inspection of shell command execution.
• Monitor for anomalous in-memory process behaviors that may indicate a fileless RAT.
• Conduct user awareness training specifically focusing on the “ClickFix” social engineering pattern.