Introduction
In recent weeks, I’ve searched for pages impersonating Claude that distribute malware. In recent weeks, I’ve reliably found these sites through malicious ads in Google searches that lead to these pages, often concealed in URLs for sites.google[.]com, such as this example from 2026-05-11.
These fake Claude pages generally show instructions for macOS malware when viewed through a macOS system, and they will show instructions for Windows malware when viewed through a Windows system. Today’s dairy shows an example of Windows malware from one of these pages seen on Monday, 2026-05-25. Based on the C2 domain for post-infection traffic, this appears to be an infection for ACR Stealer.
Images
Shown above: Web page impersonating Claude with a button to “Download for Windows.”
Shown above: Instructions to install Claude on Windows are actually instructions that will infect a vulnerable computer with malware.
Shown above: Traffic from a Windows host when following instructions from the fake Claude download page.
Indicators of Compromise
Fake Claude download page:
- hxxps[:]//fairpoint29.com/
From the above page, URL for the initial download:
- hxxps[:]//primemetricsa[.]com/1518925
Follow-up download:
- hxxps[:]//6ryuefl.creativecommunityinfo[.]art/Camel-91267b64-989f-49b4-89b4-9e015844d42d
A further download:
- hxxps[:]//i.ibb[.]co/Xx16sbMz/init-block.jpg
Domain for post-infection HTTPS traffic to C2 server:
- yw.enhanceblabber[.]cc
Initial download:
SHA256 hash: 70b5ecc110e074dbca92932c0e840ea3492ea0a43c3f215b71392c12b02213b2
- File size: 2,416,902 bytes
- File type: Zip archive data, at least v1.0 to extract
- File location: hxxps[:]//primemetricsa[.]com/1518925
- NOTE: There’s an issue with this zip archive, so its contents will not extract correctly using typical extraction tools.
Follow-up download, PowerShell script:
SHA256 hash: a14c3ecf5eb3d2543358482e43dc765dbf9ee7a4bec7571f5ecb8829ca719692
- File size: 4,177,395 bytes
- File type: ASCII text, with very long lines, with CRLF line terminators
- File location: hxxps[:]//6ryuefl.creativecommunityinfo[.]art/Camel-91267b64-989f-49b4-89b4-9e015844d42d
A further download:
SHA256 hash: 47fa746422f1bf6b7712dc6803378e6a995488007193a7441d790f70d204728f
- File size: 628,035 bytes
- File type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1×1, segment length 16, baseline, precision 8, 5256×5256, components 3
- File location: hxxps[:]//i.ibb[.]co/Xx16sbMz/init-block.jpg
- NOTE: This image doesn’t appear to be malicious, nor could I find any obvious signs of embedded data, but it’s somehow related to this infection chain.
—
Bradley Duncan
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.