Amaterasu Info Stealer Deployed via Phony Claude Code Guides for Malware Distribution
Cybercriminals Launch New Campaign to Spread Amatera Malware
Cybercriminals have launched a new campaign to spread the Amatera information-stealing malware, using fake installation guides for Claude Code, a product developed by Anthropic.
Malicious Websites and Google Ads
The attackers created convincing website clones that appeared at the top of Google search results for terms related to Claude Code installation, thanks to malicious Google Ads. These fake guides tricked users into running commands that ultimately led to the installation of the Amatera malware.
Legitimate Web Services Used to Host Malicious Content
The campaign, a variant of the ClickFix social engineering method, is notable for its use of legitimate web services to host the malicious pages. The attackers leveraged Squarespace, Cloudflare Pages, and Tencent EdgeOne to bolster the campaign’s stealth and credibility. This tactic allowed them to reach a wider audience, including both Windows and macOS users.
Stealing Sensitive Information
The Amatera malware is designed to steal sensitive information from infected systems. This is not the first time attackers have used fake installation guides to spread malware. Recently, phony OpenClaw installers, promoted through Bing’s AI search results, were used to deliver multiple infostealers and the GhostSocks proxy malware.
Need for Caution and Vigilance
The use of legitimate web services to host malicious content is a growing concern. It highlights the need for users to be cautious when searching for software installation guides online and to verify the authenticity of the websites they visit. The campaign also underscores the importance of keeping software up to date and using reputable sources for downloads.
Related Developments
In a related development, a fake website impersonating the popular macOS utility CleanMyMac was used to deploy the SHub Stealer malware. This malware compromises saved credentials, cryptocurrency wallets, and other data, and also maintains a backdoor for persistence. Similarly, a ClickFix attack campaign was recently observed using the Windows Terminal app to distribute the Lumma Stealer malware.
“The VOID#GEIST malware campaign, which involves multiple batch scripts to deliver XWorm, AsyncRAT, and Xeno RAT payloads, is another example of the increasing complexity of malware attacks.”
Conclusion
These campaigns demonstrate the need for users and organizations to remain vigilant and to implement robust security measures to protect against information-stealing malware and other cyber threats.
About Author
English