|
In the news release, Bybit Uncovers AI-Assisted macOS Malware Campaign Targeting Users Searching for Claude Code, issued 21-Apr-2026 by Bybit over PR Newswire, we are advised by the company that the headline and 9th paragraph have been updated. The complete, corrected release follows:
AI empowered Bybit Security Team Uncovers macOS Malware Campaign Targeting Users Searching for Claude Code
DUBAI, UAE, April 21, 2026 /PRNewswire/ -- Bybit, the world's second-largest cryptocurrency exchange by trading volume, reported that its Security Operations Center (SOC) disclosed findings detailing a sophisticated, multi-stage malware campaign targeting macOS users searching for "Claude Code," an AI-powered development tool from Anthropic.
The report marks one of the first known disclosures by a centralized crypto exchange (CEX) of an active threat campaign targeting developers via AI tool discovery channels, underscoring the sector's growing role in frontline cybersecurity intelligence.
First identified in March 2026, the campaign used search engine optimization (SEO) poisoning to elevate a malicious domain to the top of Google search results. Users were redirected to a spoofed installation page designed to closely resemble legitimate documentation, triggering a two-stage attack chain focused on credential harvesting, crypto asset targeting, and persistent system access.
The initial payload, delivered via a Mach-O dropper, deployed an osascript-based infostealer exhibiting characteristics similar to known AMOS and Banshee variants. It executed a multi-phase obfuscation sequence to extract sensitive data including browser credentials, macOS Keychain entries, Telegram sessions, VPN profiles, and cryptocurrency wallet information. Bybit researchers identified targeted access attempts against more than 250 browser-based wallet extensions and multiple desktop wallet applications.
A second-stage payload introduced a C++-based backdoor with advanced evasion capabilities, including sandbox detection and encrypted runtime configurations. The malware established persistence through system-level agents and enabled remote command execution via HTTP-based polling, granting attackers ongoing control over compromised devices.
Bybit's SOC leveraged AI-assisted workflows across the full malware analysis lifecycle, significantly accelerating response time while maintaining analytical depth. Initial triage and classification of the Mach-O sample were completed within minutes, with models flagging behavioral similarities to known malware families.
AI-assisted reverse engineering and control-flow analysis reduced the time required for deep inspection of the second-stage backdoor from an estimated six to eight hours to under 40 minutes. At the same time, automated extraction pipelines identified indicators of compromise (IOCs) – including command-and-control infrastructure, file signatures, and behavioral patterns – and mapped them to established threat frameworks.
These capabilities enabled same-day deployment of detection measures. AI-assisted rule generation supported the creation of threat signatures and endpoint detection rules, which analysts validated before being pushed into production environments. AI-generated reporting drafts further reduced turnaround time, allowing threat intelligence outputs to be finalized approximately 70% faster than traditional workflows.
"As one of the first crypto exchanges to publicly document this type of malware campaign, we believe sharing these findings is critical to strengthening collective defense across the industry," said David Zong, Head of Group Risk Control and Security at Bybit. "Our AI-assisted SOC allows us to move from detection to full kill chain visibility within a single operational window. What used to require a team of analysts working across multiple shifts – decompilation, IOC extraction, report drafting, rule writing – was completed in a single session with AI handling the heavy lifting and our analysts providing judgment and validation. Looking to the future, we will face an AI war. Using AI to defend against AI is an inevitable trend. Bybit will further increase its investment in AI for security, achieving minute-level threat detection and automated, intelligent emergency response."
The investigation also revealed social engineering tactics, including fake macOS password prompts used to validate and cache user credentials. In some cases, attackers attempted to replace legitimate crypto wallet applications such as Ledger Live and Trezor Suite with trojanized versions hosted on malicious infrastructure.
The malware targeted a wide range of environments, including Chromium-based browsers, Firefox variants, Safari data, Apple Notes, and local file directories commonly used to store sensitive financial or authentication data.
Bybit identified multiple domains and command-and-control endpoints associated with the campaign, all of which have been defanged for public disclosure. Analysis indicates that attackers relied on intermittent HTTP polling rather than persistent connections, making detection more challenging.
The incident reflects a growing trend of attackers targeting developers through manipulated search results, particularly as AI tools gain mainstream adoption. Developers remain high-value targets due to their access to codebases, infrastructure, and financial systems.
Bybit confirmed that malicious infrastructure was identified on March 12, with full analysis, mitigation, and detection measures completed within the same day. Public disclosure followed on March 20, alongside detailed detection guidance.
#Bybit / #CryptoArk / #NewFinancialPlatform
About Bybit
Bybit is the world's second-largest cryptocurrency exchange by trading volume, serving a global community of over 80 million users. Founded in 2018, Bybit is redefining openness in the decentralized world by creating a simpler, open and equal ecosystem for everyone. With a strong focus on Web3, Bybit partners strategically with leading blockchain protocols to provide robust infrastructure and drive on-chain innovation. Renowned for its secure custody, diverse marketplaces, intuitive user experience, and advanced blockchain tools, Bybit bridges the gap between TradFi and DeFi, empowering builders, creators, and enthusiasts to unlock the full potential of Web3. Discover the future of decentralized finance at Bybit.com.
For more details about Bybit, please visit Bybit Press
For media inquiries, please contact: media@bybit.com
For updates, please follow: Bybit's Communities and Social Media
Discord | Facebook | Instagram | LinkedIn | Reddit | Telegram | TikTok | X | Youtube
In the news release, Bybit Uncovers AI-Assisted macOS Malware Campaign Targeting Users Searching for Claude Code, issued 21-Apr-2026 by Bybit over PR Newswire, we are advised by the company that the headline and 9th paragraph have been updated. The complete, corrected release follows:
AI empowered Bybit Security Team Uncovers macOS Malware Campaign Targeting Users Searching for Claude Code
DUBAI, UAE, April 21, 2026 /PRNewswire/ -- Bybit, the world's second-largest cryptocurrency exchange by trading volume, reported that its Security Operations Center (SOC) disclosed findings detailing a sophisticated, multi-stage malware campaign targeting macOS users searching for "Claude Code," an AI-powered development tool from Anthropic.
The report marks one of the first known disclosures by a centralized crypto exchange (CEX) of an active threat campaign targeting developers via AI tool discovery channels, underscoring the sector's growing role in frontline cybersecurity intelligence.
First identified in March 2026, the campaign used search engine optimization (SEO) poisoning to elevate a malicious domain to the top of Google search results. Users were redirected to a spoofed installation page designed to closely resemble legitimate documentation, triggering a two-stage attack chain focused on credential harvesting, crypto asset targeting, and persistent system access.
The initial payload, delivered via a Mach-O dropper, deployed an osascript-based infostealer exhibiting characteristics similar to known AMOS and Banshee variants. It executed a multi-phase obfuscation sequence to extract sensitive data including browser credentials, macOS Keychain entries, Telegram sessions, VPN profiles, and cryptocurrency wallet information. Bybit researchers identified targeted access attempts against more than 250 browser-based wallet extensions and multiple desktop wallet applications.
A second-stage payload introduced a C++-based backdoor with advanced evasion capabilities, including sandbox detection and encrypted runtime configurations. The malware established persistence through system-level agents and enabled remote command execution via HTTP-based polling, granting attackers ongoing control over compromised devices.
Bybit's SOC leveraged AI-assisted workflows across the full malware analysis lifecycle, significantly accelerating response time while maintaining analytical depth. Initial triage and classification of the Mach-O sample were completed within minutes, with models flagging behavioral similarities to known malware families.
AI-assisted reverse engineering and control-flow analysis reduced the time required for deep inspection of the second-stage backdoor from an estimated six to eight hours to under 40 minutes. At the same time, automated extraction pipelines identified indicators of compromise (IOCs) – including command-and-control infrastructure, file signatures, and behavioral patterns – and mapped them to established threat frameworks.
These capabilities enabled same-day deployment of detection measures. AI-assisted rule generation supported the creation of threat signatures and endpoint detection rules, which analysts validated before being pushed into production environments. AI-generated reporting drafts further reduced turnaround time, allowing threat intelligence outputs to be finalized approximately 70% faster than traditional workflows.
"As one of the first crypto exchanges to publicly document this type of malware campaign, we believe sharing these findings is critical to strengthening collective defense across the industry," said David Zong, Head of Group Risk Control and Security at Bybit. "Our AI-assisted SOC allows us to move from detection to full kill chain visibility within a single operational window. What used to require a team of analysts working across multiple shifts – decompilation, IOC extraction, report drafting, rule writing – was completed in a single session with AI handling the heavy lifting and our analysts providing judgment and validation. Looking to the future, we will face an AI war. Using AI to defend against AI is an inevitable trend. Bybit will further increase its investment in AI for security, achieving minute-level threat detection and automated, intelligent emergency response."
The investigation also revealed social engineering tactics, including fake macOS password prompts used to validate and cache user credentials. In some cases, attackers attempted to replace legitimate crypto wallet applications such as Ledger Live and Trezor Suite with trojanized versions hosted on malicious infrastructure.
The malware targeted a wide range of environments, including Chromium-based browsers, Firefox variants, Safari data, Apple Notes, and local file directories commonly used to store sensitive financial or authentication data.
Bybit identified multiple domains and command-and-control endpoints associated with the campaign, all of which have been defanged for public disclosure. Analysis indicates that attackers relied on intermittent HTTP polling rather than persistent connections, making detection more challenging.
The incident reflects a growing trend of attackers targeting developers through manipulated search results, particularly as AI tools gain mainstream adoption. Developers remain high-value targets due to their access to codebases, infrastructure, and financial systems.
Bybit confirmed that malicious infrastructure was identified on March 12, with full analysis, mitigation, and detection measures completed within the same day. Public disclosure followed on March 20, alongside detailed detection guidance.
#Bybit / #CryptoArk / #NewFinancialPlatform
About Bybit
Bybit is the world's second-largest cryptocurrency exchange by trading volume, serving a global community of over 80 million users. Founded in 2018, Bybit is redefining openness in the decentralized world by creating a simpler, open and equal ecosystem for everyone. With a strong focus on Web3, Bybit partners strategically with leading blockchain protocols to provide robust infrastructure and drive on-chain innovation. Renowned for its secure custody, diverse marketplaces, intuitive user experience, and advanced blockchain tools, Bybit bridges the gap between TradFi and DeFi, empowering builders, creators, and enthusiasts to unlock the full potential of Web3. Discover the future of decentralized finance at Bybit.com.
For more details about Bybit, please visit Bybit Press
For media inquiries, please contact: media@bybit.com
For updates, please follow: Bybit's Communities and Social Media
Discord | Facebook | Instagram | LinkedIn | Reddit | Telegram | TikTok | X | Youtube
** This press release is distributed by PR Newswire through automated distribution system, for which the client assumes full responsibility. **
Bybit Uncovers AI-Assisted macOS Malware Campaign Targeting Users Searching for Claude Code
Bybit Uncovers AI-Assisted macOS Malware Campaign Targeting Users Searching for Claude Code
TAIPEI, May 19, 2026 /PRNewswire/ -- ARBOR Technology, a global leader in Industrial IoT and Edge AI computing, will participate in COMPUTEX 2026, taking place June 2 - 5 at the Taipei Nangang Exhibition Center, Hall 2, Booth P0713. Under its signature vision "From Edge to Action," ARBOR will present a comprehensive lineup of cutting-edge industrial computing solutions designed to transform real-time data into actionable intelligence, bridging the gap between edge deployment and operational impact.
Visitors will experience ARBOR's latest innovations across edge AI hardware, rugged embedded computers, vision AI and robotics. Highlights include the award-winning EdgeX-6000 Edge AI HPC Series, recognized as Best in Show at Embedded World 2026, which delivers exceptional AI inference performance for demanding industrial workloads. ARBOR will also feature the AEC-8000, powered by the NVIDIA® Jetson Thor T5000, purpose-built for next-generation AI-embedded applications in smart manufacturing, logistics, and autonomous systems.
Completing the showcase is the IEC-6700 Edge AI Box PC featuring Intel's latest Panther Lake processors and enhanced AI computing capabilities. Additional solutions include the ARES-1983H-AI series with flexible M.2 AI accelerator expansion for scalable Edge AI deployment, as well as the ARTS-7670, an IP69K-rated waterproof fanless computer specifically engineered for harsh industrial and outdoor operating conditions.
Aligned with the "AI Together" theme at COMPUTEX 2026, ARBOR highlights its commitment to advancing Edge AI innovation with rugged, scalable, and AI-ready platforms that bridge edge computing and intelligent action.
Unlock the power of real-time intelligence at the edge. Click here to explore our Edge AI highlights and plan your visit to our Computex 2026 showcase.
** This press release is distributed by PR Newswire through automated distribution system, for which the client assumes full responsibility. **
ARBOR Technology Showcases Edge AI and Industrial Computing Solutions at COMPUTEX 2026
