{"id":3332,"date":"2026-05-26T00:05:59","date_gmt":"2026-05-26T00:05:59","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/26\/possible-acr-stealer-from-page-impersonating-claude-tue-may-26th\/"},"modified":"2026-05-26T00:05:59","modified_gmt":"2026-05-26T00:05:59","slug":"possible-acr-stealer-from-page-impersonating-claude-tue-may-26th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/26\/possible-acr-stealer-from-page-impersonating-claude-tue-may-26th\/","title":{"rendered":"Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)"},"content":{"rendered":"
\n

Introduction<\/strong><\/em><\/p>\n

In recent weeks, I’ve searched for pages impersonating Claude that distribute malware. In recent weeks, I’ve reliably found these sites through malicious ads in Google searches that lead to these pages, often concealed in URLs for sites.google[.]com<\/span>, such as this example from 2026-05-11<\/a>.<\/p>\n

These fake Claude pages generally show instructions for macOS malware when viewed through a macOS system, and they will show instructions for Windows malware when viewed through a Windows system. Today’s dairy shows an example of Windows malware from one of these pages seen on Monday, 2026-05-25. Based on the C2 domain for post-infection traffic, this appears to be an infection for\u00a0ACR Stealer<\/a>.<\/p>\n

Images<\/strong><\/em><\/p>\n

\"\"<\/a>
\nShown above: Web page impersonating Claude with a button to “Download for Windows.”<\/em><\/p>\n

\"\"<\/a>
\nShown above: Instructions to install Claude on Windows are actually instructions that will infect a vulnerable computer with malware.<\/em><\/p>\n

\"\"<\/a>
\nShown above: Traffic from a Windows host when following instructions from the fake Claude download page.<\/em><\/p>\n

Indicators of Compromise<\/strong><\/em><\/p>\n

Fake Claude download page:<\/p>\n