{ "type": "URL", "indicator": "https://download.active-version.com/claude", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://download.active-version.com/claude", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4267939317, "indicator": "https://download.active-version.com/claude", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a0d11d08d4e79b73d788add", "name": "IOC - Windows and macOS Malware Spreads via Fake \u201cClaude Code\u201d Google Ads", "description": "Claude has been in the news for quite some time, and cybercriminals are capitalizing by anticipating people will be searching for tools and downloads related to this LLM. To exploit this interest, they bought a convincing sponsored result that shows up above legitimate search results, redirecting victims to a fake documentation page that looks much like the real one.", "modified": "2026-05-20T01:43:44.066000", "created": "2026-05-20T01:43:44.066000", "tags": [], "references": [ "https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6, "URL": 1, "hostname": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ba96193a5036bb442bffe3", "name": "Windows and macOS Malware Spreads via Fake Claude Code Google Ads", "description": "Recent research has unveiled a malicious Google Ads campaign that impersonates \"Claude Code,\" a language model developed by Anthropic, targeting both Windows and macOS users. The malicious advertisement redirects users to a fraudulent documentation page mimicking the official Claude Code resources, hosted on a Squarespace subdomain. The attackers leveraged a compromised advertiser account related to a Malaysian company to facilitate this campaign.", "modified": "2026-03-18T12:10:01.914000", "created": "2026-03-18T12:10:01.914000", "tags": [ "google", "claude", "claude code", "windows", "bitdefender", "clickfix", "macho binary", "hta file", "msil", "google ads", "download", "powershell", "never", "code", "amos", "macos" ], "references": [ "https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6, "URL": 2, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b8333528047babb50a8af1", "name": "Fake Claude Code Google Ads Delivering Windows Stealer and macOS Backdoor", "description": "A Google Ads campaign impersonating Claude Code documentation and\nredirects users to a fake site that instructs them to run commands that\ninstall malware on Windows and macOS system.", "modified": "2026-03-16T16:43:33.040000", "created": "2026-03-16T16:43:33.040000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 1, "hostname": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "77 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware", "IOCs.2026.4.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code " ], "malware_families": [], "industries": [], "unique_indicators": 800 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/active-version.com", "whois": "http://whois.domaintools.com/active-version.com", "domain": "active-version.com", "hostname": "download.active-version.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a0d11d08d4e79b73d788add", "name": "IOC - Windows and macOS Malware Spreads via Fake \u201cClaude Code\u201d Google Ads", "description": "Claude has been in the news for quite some time, and cybercriminals are capitalizing by anticipating people will be searching for tools and downloads related to this LLM. To exploit this interest, they bought a convincing sponsored result that shows up above legitimate search results, redirecting victims to a fake documentation page that looks much like the real one.", "modified": "2026-05-20T01:43:44.066000", "created": "2026-05-20T01:43:44.066000", "tags": [], "references": [ "https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6, "URL": 1, "hostname": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ba96193a5036bb442bffe3", "name": "Windows and macOS Malware Spreads via Fake Claude Code Google Ads", "description": "Recent research has unveiled a malicious Google Ads campaign that impersonates \"Claude Code,\" a language model developed by Anthropic, targeting both Windows and macOS users. The malicious advertisement redirects users to a fraudulent documentation page mimicking the official Claude Code resources, hosted on a Squarespace subdomain. The attackers leveraged a compromised advertiser account related to a Malaysian company to facilitate this campaign.", "modified": "2026-03-18T12:10:01.914000", "created": "2026-03-18T12:10:01.914000", "tags": [ "google", "claude", "claude code", "windows", "bitdefender", "clickfix", "macho binary", "hta file", "msil", "google ads", "download", "powershell", "never", "code", "amos", "macos" ], "references": [ "https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6, "URL": 2, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b8333528047babb50a8af1", "name": "Fake Claude Code Google Ads Delivering Windows Stealer and macOS Backdoor", "description": "A Google Ads campaign impersonating Claude Code documentation and\nredirects users to a fake site that instructs them to run commands that\ninstall malware on Windows and macOS system.", "modified": "2026-03-16T16:43:33.040000", "created": "2026-03-16T16:43:33.040000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 1, "hostname": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "77 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://download.active-version.com/claude", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://download.active-version.com/claude", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780354926.9419103 }