AhnLab said it has identified cases in which an information-stealing malware strain was distributed through phishing sites impersonating the generative AI service Claude, and urged users to be cautious.
On 22, AhnLab said the phishing site displays the message “Bring Claude to your Desktop” and offers download buttons by operating system, including Windows and macOS, to lure users into installing it.
When a user clicks the download button for their OS, a pop-up appears instead of an installer, providing installation instructions. The notice says the download will begin if the user copies a specific command and pastes it into their PC, but following those steps installs malware.
Once installed, the malware steals files on the PC, browser-stored information and cryptocurrency wallet data, then sends it to an attacker-controlled server.
AhnLab said this tactic — disguising instructions or error messages to get users to copy and paste a malicious command themselves — is known as the “ClickFix” technique and has recently been used in a range of malware distribution attacks.
The company said the phishing site was found appearing near the top of Google search results for keywords such as “Claude app” and “Claude desktop.” It said attackers may have manipulated rankings by using search ads.
AhnLab said such attacks continue to exploit users’ tendency to trust sites shown at the top of search results, and called for heightened vigilance.
To reduce risk, it advised users to verify official domain addresses regardless of search rankings, apply the latest security updates for PCs, operating systems, software and browsers, and enable real-time monitoring in antivirus software such as V3.
AhnLab said its V3 product line supports detection of the phishing site and blocks access, and that related threat information is available through its next-generation threat intelligence platform, AhnLab TIP.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.