{ "type": "Domain", "indicator": "claude-code-macos.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/claude-code-macos.com", "alexa": "http://www.alexa.com/siteinfo/claude-code-macos.com", "indicator": "claude-code-macos.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4249892282, "indicator": "claude-code-macos.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69ae96195fe742dacdb87f53", "name": "InstallFix: How attackers are weaponizing malvertized install guides", "description": "A new attack technique called InstallFix targets users by cloning popular developer tool installation pages and presenting malicious install commands. Attackers distribute these fake pages through Google Ads, exploiting users' trust in familiar 'curl to bash' installation methods. The campaign specifically targets Claude Code users, delivering the Amatera Stealer malware. This technique bypasses email security controls and exploits the growing trend of non-technical users adopting developer tools. The attack leverages legitimate hosting services and is part of a broader trend targeting AI-related tools. The payload uses staged execution and various evasion techniques to avoid detection.", "modified": "2026-03-09T09:55:01.557000", "created": "2026-03-09T09:42:49.865000", "tags": [ "social engineering", "google ads", "claude code", "installfix", "malvertising", "amatera stealer" ], "references": [ "https://pushsecurity.com/blog/installfix/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amatera Stealer", "display_name": "Amatera Stealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 5, "domain": 6, "hostname": 14 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386665, "modified_text": "84 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f46ded03e19a449030ba6e", "name": "Amatera Stealer", "description": "Amatera Stealer, un infostealer evolucionado de ACR Stealer que se comercializa como Malware-as-a-Service (MaaS).", "modified": "2026-05-31T09:01:47.951000", "created": "2026-05-01T09:10:05.108000", "tags": [ "ibm xforce", "virustotal", "a1b1", "amatera stealer", "acr stealer", "feedly", "installfix", "dominio c2", "stealer", "amatera", "robo", "autor", "copy", "powershell", "daily", "xforce", "phishing", "acr" ], "references": [ "https://lacrimae0rerum.github.io/CorvusDossiers/reports/claude-amatera-campaign/informe_estrategico.html", "https://exchange.xforce.ibmcloud.com/report/details/guid:f52c99c24f704788b8036f1ead587991", "https://www.esecurityplanet.com/artificial-intelligence/fake-claude-code-install-pages-spread-infostealer-malware/", "https://securityonline.info/the-vibe-coding-trap-fake-claude-code-installers-unleash-amatera-malware-via-search-ads/", "https://cybersecuritynews.com/claude-code-vulnerabilities/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ACR", "display_name": "ACR", "target": null }, { "id": "Amatera", "display_name": "Amatera", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "carlosxr7", "id": "50553", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_50553/resized/80/avatar_7684c667da.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 39, "FileHash-SHA1": 38, "FileHash-SHA256": 192, "URL": 5, "domain": 19, "hostname": 1 }, "indicator_count": 296, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af4ff62a1b22a8c4fd71d8", "name": "Clone by Tr1sa111", "description": "", "modified": "2026-03-11T13:16:54.852000", "created": "2026-03-09T22:55:50.021000", "tags": [ "social engineering", "google ads", "claude code", "installfix", "malvertising", "amatera stealer" ], "references": [ "https://pushsecurity.com/blog/installfix/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amatera Stealer", "display_name": "Amatera Stealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69af46d9ce7b302b43783c0a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 7, "domain": 6, "hostname": 14 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af6f4db8c577cf34b6f35f", "name": "InstallFix Attacks Distributing Amatera Infostealer via Fake Claude Code Installation Guides", "description": "Threat actors are using fake Claude Code installation guides promoted through Google Ads to trick users into running malicious commands that download the Amatera infostealer.", "modified": "2026-03-10T01:09:33.585000", "created": "2026-03-10T01:09:33.585000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 9, "domain": 3, "URL": 3, "hostname": 13 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "83 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af46d9ce7b302b43783c0a", "name": "InstallFix: How attackers are weaponizing malvertized install guides", "description": "", "modified": "2026-03-09T22:16:57.436000", "created": "2026-03-09T22:16:57.436000", "tags": [ "social engineering", "google ads", "claude code", "installfix", "malvertising", "amatera stealer" ], "references": [ "https://pushsecurity.com/blog/installfix/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amatera Stealer", "display_name": "Amatera Stealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69ae96195fe742dacdb87f53", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 5, "domain": 6, "hostname": 14 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "83 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ae2d46c6a2ef2fdfe4fbc9", "name": "IOC - InstallFix: How attackers are weaponizing malvertized install guides", "description": "Attackers are distributing almost identical cloned sites of popular developer tools like Claude Code with fake install instructions via malicious search engine ads \u2014 tricking victims into installing infostealer malware instead.", "modified": "2026-03-09T02:15:34.360000", "created": "2026-03-09T02:15:34.360000", "tags": [ "domains" ], "references": [ "https://pushsecurity.com/blog/installfix/#id-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "84 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.1.csv", "https://pushsecurity.com/blog/installfix/#id-iocs", "https://lacrimae0rerum.github.io/CorvusDossiers/reports/claude-amatera-campaign/informe_estrategico.html", "https://cybersecuritynews.com/claude-code-vulnerabilities/", "https://securityonline.info/the-vibe-coding-trap-fake-claude-code-installers-unleash-amatera-malware-via-search-ads/", "https://exchange.xforce.ibmcloud.com/report/details/guid:f52c99c24f704788b8036f1ead587991", "https://www.esecurityplanet.com/artificial-intelligence/fake-claude-code-install-pages-spread-infostealer-malware/", "https://pushsecurity.com/blog/installfix/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Amatera stealer" ], "industries": [] }, "other": { "adversary": [ "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab" ], "malware_families": [ "Amatera", "Amatera stealer", "Acr" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69ae96195fe742dacdb87f53", "name": "InstallFix: How attackers are weaponizing malvertized install guides", "description": "A new attack technique called InstallFix targets users by cloning popular developer tool installation pages and presenting malicious install commands. Attackers distribute these fake pages through Google Ads, exploiting users' trust in familiar 'curl to bash' installation methods. The campaign specifically targets Claude Code users, delivering the Amatera Stealer malware. This technique bypasses email security controls and exploits the growing trend of non-technical users adopting developer tools. The attack leverages legitimate hosting services and is part of a broader trend targeting AI-related tools. The payload uses staged execution and various evasion techniques to avoid detection.", "modified": "2026-03-09T09:55:01.557000", "created": "2026-03-09T09:42:49.865000", "tags": [ "social engineering", "google ads", "claude code", "installfix", "malvertising", "amatera stealer" ], "references": [ "https://pushsecurity.com/blog/installfix/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amatera Stealer", "display_name": "Amatera Stealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 5, "domain": 6, "hostname": 14 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386665, "modified_text": "84 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f46ded03e19a449030ba6e", "name": "Amatera Stealer", "description": "Amatera Stealer, un infostealer evolucionado de ACR Stealer que se comercializa como Malware-as-a-Service (MaaS).", "modified": "2026-05-31T09:01:47.951000", "created": "2026-05-01T09:10:05.108000", "tags": [ "ibm xforce", "virustotal", "a1b1", "amatera stealer", "acr stealer", "feedly", "installfix", "dominio c2", "stealer", "amatera", "robo", "autor", "copy", "powershell", "daily", "xforce", "phishing", "acr" ], "references": [ "https://lacrimae0rerum.github.io/CorvusDossiers/reports/claude-amatera-campaign/informe_estrategico.html", "https://exchange.xforce.ibmcloud.com/report/details/guid:f52c99c24f704788b8036f1ead587991", "https://www.esecurityplanet.com/artificial-intelligence/fake-claude-code-install-pages-spread-infostealer-malware/", "https://securityonline.info/the-vibe-coding-trap-fake-claude-code-installers-unleash-amatera-malware-via-search-ads/", "https://cybersecuritynews.com/claude-code-vulnerabilities/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ACR", "display_name": "ACR", "target": null }, { "id": "Amatera", "display_name": "Amatera", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "carlosxr7", "id": "50553", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_50553/resized/80/avatar_7684c667da.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 39, "FileHash-SHA1": 38, "FileHash-SHA256": 192, "URL": 5, "domain": 19, "hostname": 1 }, "indicator_count": 296, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af4ff62a1b22a8c4fd71d8", "name": "Clone by Tr1sa111", "description": "", "modified": "2026-03-11T13:16:54.852000", "created": "2026-03-09T22:55:50.021000", "tags": [ "social engineering", "google ads", "claude code", "installfix", "malvertising", "amatera stealer" ], "references": [ "https://pushsecurity.com/blog/installfix/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amatera Stealer", "display_name": "Amatera Stealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69af46d9ce7b302b43783c0a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 7, "domain": 6, "hostname": 14 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af6f4db8c577cf34b6f35f", "name": "InstallFix Attacks Distributing Amatera Infostealer via Fake Claude Code Installation Guides", "description": "Threat actors are using fake Claude Code installation guides promoted through Google Ads to trick users into running malicious commands that download the Amatera infostealer.", "modified": "2026-03-10T01:09:33.585000", "created": "2026-03-10T01:09:33.585000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 9, "domain": 3, "URL": 3, "hostname": 13 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "83 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af46d9ce7b302b43783c0a", "name": "InstallFix: How attackers are weaponizing malvertized install guides", "description": "", "modified": "2026-03-09T22:16:57.436000", "created": "2026-03-09T22:16:57.436000", "tags": [ "social engineering", "google ads", "claude code", "installfix", "malvertising", "amatera stealer" ], "references": [ "https://pushsecurity.com/blog/installfix/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amatera Stealer", "display_name": "Amatera Stealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69ae96195fe742dacdb87f53", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 5, "domain": 6, "hostname": 14 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "83 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ae2d46c6a2ef2fdfe4fbc9", "name": "IOC - InstallFix: How attackers are weaponizing malvertized install guides", "description": "Attackers are distributing almost identical cloned sites of popular developer tools like Claude Code with fake install instructions via malicious search engine ads \u2014 tricking victims into installing infostealer malware instead.", "modified": "2026-03-09T02:15:34.360000", "created": "2026-03-09T02:15:34.360000", "tags": [ "domains" ], "references": [ "https://pushsecurity.com/blog/installfix/#id-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "84 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "claude-code-macos.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "claude-code-macos.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780318351.7459707 }