Claude Code: Fake Ads Hide a Fearsome Malware
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
Cybercriminals have managed to impersonate Claude Code and other AI tools to infect developers with infostealers, information thieves. Experts are sounding the alarm.
Cybersecurity researchers from Kaspersky recently uncovered a malicious campaign targeting developers looking to install Claude Code, the AI agent from Anthropic. The scheme is well-crafted, featuring fake advertisements that appear at the top of search engines, a cloned page that even deceives the most vigilant, and infostealers that silently install themselves. From personal data to corporate secrets, including access to cryptocurrencies, nothing is spared.
A Fake Claude Code Page So Convincing It Deceives Even the Most Cautious
The trap begins with a daily action: typing the query “Claude Code download” into a search engine. The problem is that among the top results, fraudulent ads sneak in discreetly. They are almost impossible to distinguish from legitimate ads. One of them redirects to a site hosted on Squarespace that perfectly replicates the official page of Anthropic. The layout is identical, and the instructions are copied word for word. In short, nothing betrays the imposture.
The user follows the instructions to the letter, executes the proposed commands, and unknowingly installs spyware instead of the expected tool. No error messages or alarm signals appear; everything proceeds as if the installation were legitimate. This is the insidious nature of the process, which exploits the natural trust placed in a page that seems official, and the speed with which developers execute such commands without questioning them.
Windows or Mac, No One Is Spared by These Infostealers
The installed malware varies depending on whether the victim uses Windows or Mac. On Windows, it is Amatera that runs. This malware methodically searches the computer, personal folders, browser history, and cryptocurrency wallets before sending the loot to a server controlled by the attackers. This malicious software operates like a rented service among cybercriminals: its creators make it available to any hacker willing to pay, following the malware-as-a-service model, as seen in recent ClickFix campaigns.
Mac users are not spared either. Here, it is AMOS that takes charge. This is spyware that Kaspersky has encountered in several attacks targeting Apple devices. Beyond personal data, it is primarily the professional risk that concerns experts. Vladimir Gursky, a cybersecurity specialist at Kaspersky, states that these campaigns are “particularly dangerous for companies whose developers rely on AI-assisted coding tools,” as one infection can be enough to expose the source code of a project, confidential access, or internal data without anyone noticing.
This behavior from hackers is not new, as in December 2025, Kaspersky had already dismantled a similar scam where Google ads impersonated ChatGPT to entice users to download a fake browser, Atlas Browser. To avoid falling into the trap, it is essential to:
- Verify that the download link points to the official project site.
- Never execute a command whose origin is not understood.
- Use antivirus software capable of detecting this type of spyware.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.