Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)
A series of malicious web pages impersonating the Claude AI platform have been identified distributing malware, specifically the ACR Stealer. These fake pages use malicious advertisements in Google searches to lure victims and serve different instructions depending on the victim's operating system (macOS or Windows). The Windows variant leads to a multi-stage infection involving downloads of a corrupted zip archive, a PowerShell script, and a related image file. The malware communicates with a command-and-control server after infection. No official patch or remediation guidance is provided, and no known exploits in the wild have been reported beyond these observed infection chains.
AI Analysis
Technical Summary
Recent investigations revealed web pages impersonating the Claude AI platform that distribute malware, notably ACR Stealer, via malicious ads in Google search results. These pages tailor their displayed instructions based on the visitor's OS, showing Windows or macOS malware installation steps accordingly. The infection chain involves an initial corrupted zip archive download, followed by a PowerShell script and an associated image file, culminating in communication with a C2 server (yw.enhanceblabber.cc). The infection is initiated from URLs such as fairpoint29.com and primemetricsa.com. The image file appears benign but is part of the infection chain. No patch or vendor advisory is available, and this is not a vulnerability in software but a malware distribution campaign via social engineering and malicious hosting.
Potential Impact
Successful victim interaction with these fake Claude pages can lead to infection with ACR Stealer malware on Windows systems. This malware likely exfiltrates sensitive information to a remote command-and-control server. The infection chain involves multiple downloads, including a corrupted zip archive and a PowerShell script, which may evade simple detection. There are no reports of exploitation beyond these observed infection attempts. The threat primarily impacts users who follow the malicious instructions and download the payloads.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Defenders should block access to the identified malicious domains and URLs (e.g., fairpoint29.com, primemetricsa.com, creativecommunityinfo.art, i.ibb.co, enhanceblabber.cc). Users should be warned not to trust unsolicited download links or instructions from unverified sources, especially those impersonating legitimate platforms like Claude. Endpoint protection solutions should be updated to detect and block ACR Stealer and associated PowerShell scripts. Since this is a malware distribution campaign via social engineering, user awareness training is critical. Monitor for indicators of compromise related to the provided hashes and domains.
Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)
Description
A series of malicious web pages impersonating the Claude AI platform have been identified distributing malware, specifically the ACR Stealer. These fake pages use malicious advertisements in Google searches to lure victims and serve different instructions depending on the victim's operating system (macOS or Windows). The Windows variant leads to a multi-stage infection involving downloads of a corrupted zip archive, a PowerShell script, and a related image file. The malware communicates with a command-and-control server after infection. No official patch or remediation guidance is provided, and no known exploits in the wild have been reported beyond these observed infection chains.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Recent investigations revealed web pages impersonating the Claude AI platform that distribute malware, notably ACR Stealer, via malicious ads in Google search results. These pages tailor their displayed instructions based on the visitor's OS, showing Windows or macOS malware installation steps accordingly. The infection chain involves an initial corrupted zip archive download, followed by a PowerShell script and an associated image file, culminating in communication with a C2 server (yw.enhanceblabber.cc). The infection is initiated from URLs such as fairpoint29.com and primemetricsa.com. The image file appears benign but is part of the infection chain. No patch or vendor advisory is available, and this is not a vulnerability in software but a malware distribution campaign via social engineering and malicious hosting.
Potential Impact
Successful victim interaction with these fake Claude pages can lead to infection with ACR Stealer malware on Windows systems. This malware likely exfiltrates sensitive information to a remote command-and-control server. The infection chain involves multiple downloads, including a corrupted zip archive and a PowerShell script, which may evade simple detection. There are no reports of exploitation beyond these observed infection attempts. The threat primarily impacts users who follow the malicious instructions and download the payloads.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Defenders should block access to the identified malicious domains and URLs (e.g., fairpoint29.com, primemetricsa.com, creativecommunityinfo.art, i.ibb.co, enhanceblabber.cc). Users should be warned not to trust unsolicited download links or instructions from unverified sources, especially those impersonating legitimate platforms like Claude. Endpoint protection solutions should be updated to detect and block ACR Stealer and associated PowerShell scripts. Since this is a malware distribution campaign via social engineering, user awareness training is critical. Monitor for indicators of compromise related to the provided hashes and domains.
Technical Details
- Article Source
- {"url":"https://isc.sans.edu/diary/rss/33018","fetched":true,"fetchedAt":"2026-05-26T00:09:59.837Z","wordCount":476}
Threat ID: 6a14e4d7a5ae1af1aafaa3ce
Added to database: 5/26/2026, 12:09:59 AM
Last enriched: 5/26/2026, 12:10:12 AM
Last updated: 5/26/2026, 3:05:42 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.