AI-Empowered Bybit Security Team Uncovers macOS Malware Campaign Targeting Users Searching For ‘Claude Code’
Cryptocurrency exchange Bybit reported that its Security Operations Center (SOC) has identified a complex multi-stage malware operation targeting macOS users searching for “Claude Code,” an artificial intelligence-driven development tool developed by Anthropic.
The disclosure is among the first public cases in which a centralized cryptocurrency exchange has detailed an active threat campaign aimed at developers through AI tool discovery channels, highlighting an increasing intersection between cybersecurity intelligence and the digital asset sector.
According to the findings, first detected in March 2026, the campaign relied on search engine optimization (SEO) manipulation to position a fraudulent domain at the top of Google search results. Users were redirected to a counterfeit installation page designed to closely replicate legitimate documentation, initiating a two-stage infection process focused on credential theft, cryptocurrency asset exposure, and persistent system compromise.
The initial stage involved a Mach-O dropper that deployed an osascript-based information-stealing component with behavioural similarities to known AMOS and Banshee malware variants. The program carried out a multi-layer obfuscation sequence designed to extract sensitive information, including browser credentials, macOS Keychain data, Telegram sessions, VPN configurations, and cryptocurrency wallet details. Researchers at Bybit identified targeted access attempts involving more than 250 browser-based wallet extensions as well as multiple desktop wallet applications.
A second-stage payload introduced a C++-based backdoor featuring advanced evasion mechanisms, including sandbox detection and encrypted runtime configuration. The malware established persistence through system-level agents and enabled remote command execution via HTTP-based polling, allowing continuous attacker access to compromised systems.
AI-Assisted Threat Analysis And Accelerated SOC Response
Bybit’s SOC reported the use of AI-assisted workflows throughout the malware analysis process, which significantly reduced response times while preserving analytical depth. Initial classification of the Mach-O sample was completed within minutes, with automated systems identifying behavioural patterns consistent with known malware families.
AI-supported reverse engineering and control-flow analysis reduced the inspection time for the second-stage backdoor from an estimated six to eight hours to under 40 minutes. Automated extraction processes were used to identify indicators of compromise, including command-and-control infrastructure, file signatures, and behavioural patterns, which were then mapped to established threat intelligence frameworks.
These capabilities enabled same-day deployment of defensive measures. AI-assisted rule generation facilitated the creation of detection signatures and endpoint protection rules, which were reviewed by analysts prior to deployment. Automated drafting of reporting materials reduced overall production time for threat intelligence outputs by approximately 70% compared with conventional workflows.
“As one of the first crypto exchanges to publicly document this type of malware campaign, we believe sharing these findings is critical to strengthening collective defense across the industry,” said David Zong, Head of Group Risk Control and Security at Bybit in a written statement. “Our AI-assisted SOC allows us to move from detection to full kill chain visibility within a single operational window. What used to require a team of analysts working across multiple shifts — decompilation, IOC extraction, report drafting, rule writing — was completed in a single session with AI handling the heavy lifting and our analysts providing judgment and validation. Looking to the future, we will face an AI war. Using AI to defend against AI is an inevitable trend. Bybit will further increase its investment in AI for security, achieving minute-level threat detection and automated, intelligent emergency response,” he added.
The investigation additionally identified social engineering techniques, including counterfeit macOS password prompts intended to capture and store user credentials. In certain cases, attackers attempted to replace legitimate cryptocurrency wallet applications such as Ledger Live and Trezor Suite with trojanised versions hosted on malicious infrastructure.
The malware campaign targeted multiple environments, including Chromium-based browsers, Firefox-based variants, Safari data stores, Apple Notes, and local file directories commonly used for storing authentication or financial information.
Bybit reported that multiple domains and command-and-control endpoints linked to the operation were identified and neutralised prior to public disclosure. The analysis indicated the use of intermittent HTTP polling rather than persistent network connections, a technique designed to reduce detection likelihood.
The incident is described as part of a broader trend in which attackers increasingly exploit search engine manipulation and AI-related tools to target developers, who are often viewed as high-value victims due to their access to software systems, infrastructure, and financial platforms.
The malicious infrastructure was reportedly identified on 12 March, with analysis, mitigation, and deployment of detection measures completed the same day. Public disclosure of the findings followed on 20 March, accompanied by technical guidance for threat detection.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in crypto, AI, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in crypto, AI, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
