Amid rising adoption of AI tools, a new malware campaign is targeting developers trying to install popular software like Claude Code and OpenClaw, according to a report by Kaspersky Threat Research.
The cybersecurity firm said attackers are using sponsored ads on search engines to redirect users to malicious websites that closely resemble official installation pages.
Kaspersky noted that when users search for “Claude Code download”, sponsored ads appear at the top of results. One such ad leads to a fake webpage designed to look like the tool’s official documentation. The page is hosted on Squarespace and appears almost identical to the real site, making it difficult for users to identify the scam. As a result, users may unknowingly run harmful commands while trying to install the tool.
Instead of installing the intended software, these commands deploy data-stealing malware on the system. On Windows devices, malware known as Amatera collects sensitive data from user directories, web browsers, and cryptocurrency wallets, and sends it to remote servers. This malware has been linked to earlier campaigns using the ClickFix method and operates under a malware-as-a-service model.
On macOS devices, attackers use AMOS, another infostealer that targets Apple systems.
“The campaign poses significant risks because AI development tools such as Claude Code and OpenClaw are widely used not only by hobbyists and automation enthusiasts but also by professional developers working in large organizations,” said Vladimir Gursky, cybersecurity expert at Kaspersky.
He added that infected systems could expose source code, corporate data, authentication credentials, and private accounts, making the threat serious for businesses.
Kaspersky researchers also found similar campaigns targeting other AI tools, including Doubao. Attackers have created multiple domains and are spreading malware disguised as legitimate downloads using similar tactics.
The report highlights increasing cybersecurity risks linked to the rapid use of AI tools, especially among developers who depend on external downloads and online documentation.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
