Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)

Introduction In recent weeks, I've searched for pages impersonating Claude that distribute malware. In recent weeks, I've reliably found these sites through malicious ads in Google searches that lead to these pages, often concealed in URLs for sites.google[.]com , such as this example from 2026-05-11 . These fake Claude pages generally show instructions for macOS malware when viewed through a macOS system, and they will show instructions for Windows malware when viewed through a Windows system. Today's dairy shows an example of Windows malware from one of these pages seen on Monday, 2026-05-25. Based on the C2 domain for post-infection traffic, this appears to be an infection for ACR Stealer . Images Shown above: Web page impersonating Claude with a button to Download for Windows. Shown above: Instructions to install Claude on Windows are actually instructions that will infect a vulnerable computer with malware. Shown above: Traffic from a Windows host when following instructions from the fake Claude download page. Indicators of Compromise Fake Claude download page: hxxps[:]//fairpoint29.com/ From the above page, URL for the initial download: hxxps[:]//primemetricsa[.]com/1518925 Follow-up download: hxxps[:]//6ryuefl.creativecommunityinfo[.]art/Camel-91267b64-989f-49b4-89b4-9e015844d42d A further download: hxxps[:]//i.ibb[.]co/Xx16sbMz/init-block.jpg Domain for post-infection HTTPS traffic to C2 server: yw.enhanceblabber[.]cc Initial download: SHA256 hash: 70b5ecc110e074dbca92932c0e840ea3492ea0a43c3f215b71392c12b02213b2 File size: 2,416,902 bytes File type: Zip archive data, at least v1.0 to extract File location: hxxps[:]//primemetricsa[.]com/1518925 NOTE: There's an issue with this zip archive, so its contents will not extract correctly using typical extraction tools. Follow-up download, PowerShell script: SHA256 hash: a14c3ecf5eb3d2543358482e43dc765dbf9ee7a4bec7571f5ecb8829ca719692 File size: 4,177,395 bytes File type: ASCII text, with very long lines, with CRLF line terminators File location: hxxps[:]//6ryuefl.creativecommunityinfo[.]art/Camel-91267b64-989f-49b4-89b4-9e015844d42d A further download: SHA256 hash: 47fa746422f1bf6b7712dc6803378e6a995488007193a7441d790f70d204728f File size: 628,035 bytes File type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 5256x5256, components 3 File location: hxxps[:]//i.ibb[.]co/Xx16sbMz/init-block.jpg NOTE: This image doesn't appear to be malicious, nor could I find any obvious signs of embedded data, but it's somehow related to this infection chain. --- Bradley Duncan brad [at] malware-traffic-analysis.net (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.