Fake Claude Code via Google Ads: How It Works

In the evolving landscape of cyber threats, malvertising campaigns have become a sophisticated vector for malware distribution. One recent example involves fraudulent advertisements on Google promoting “Claude Code,” a fictitious tool purportedly tied to Anthropic’s Claude AI model. These ads lure users, particularly developers seeking AI-assisted coding solutions, into downloading malicious software. This article dissects the mechanics of this attack, from initial bait to payload execution, highlighting the risks posed by trusted advertising platforms.

The Lure: Malvertising on Google Ads

The campaign begins with targeted Google Ads that appear in search results for queries related to “Claude code” or “Claude AI coding.” The ads mimic legitimate promotions, featuring polished graphics, endorsements mimicking Anthropic branding, and promises of a free, powerful AI coding assistant. Clicking an ad redirects users to a counterfeit website, often hosted on domains like claude-code[.]com or similar variants registered recently via privacy-protected services.

These phishing sites replicate the aesthetic of official Anthropic pages, complete with fake testimonials, download buttons, and urgency tactics such as “limited-time free download.” The domain age is typically under a month, and WHOIS data reveals anonymous registration through services like Njalla or Namecheap, evading quick takedowns. Security researchers note that Google Ads’ approval process, while stringent, can be bypassed using cloaking techniques—serving benign content to automated scanners while delivering malicious redirects to real users based on IP, user-agent, or behavioral signals.

Infection Chain: From Click to Compromise

Upon landing on the fake site, victims encounter a prominent “Download Now” button leading to a ZIP archive named something innocuous like “ClaudeCode_v1.2.zip.” The archive contains a Windows executable (e.g., ClaudeCode.exe), masquerading as a legitimate installer. Antivirus detection varies; many engines flag it as a generic Trojan, but evasion tactics like obfuscated strings and packed binaries reduce initial alerts.

Execution unfolds in stages:

1. Initial Dropper Activation: The EXE unpacks to a temporary directory, such as %TEMP%\ClaudeCode. It checks for virtualization environments (e.g., VMware, VirtualBox) using registry keys and process lists, terminating if sandboxed. A fake GUI launches, displaying a progress bar and Anthropic-like loading animations to build credibility.

2. Persistence Mechanisms: The malware establishes foothold via scheduled tasks (e.g., “ClaudeUpdate” running daily) and registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run). It injects into legitimate processes like explorer.exe or svchost.exe using DLL side-loading or process hollowing to blend with system activity.

3. Payload Deployment: Core functionality deploys an infostealer module. This component targets:

   • Browser Data: Credentials, cookies, and autofill from Chrome, Firefox, Edge via SQLite database parsing (e.g., %APPDATA%\Google\Chrome\User Data\Default\Login Data).

   • Crypto Wallets: Extensions like MetaMask, Phantom, and desktop apps (Exodus, Electrum) through memory scraping and file enumeration.

   • System Recon: Collects machine GUID, IP, hardware specs, and screenshots, exfiltrating via HTTPS POST to C2 servers on bulletproof hosting (e.g., Russian or Eastern European IPs).

   The stealer employs AES-256 encryption for stolen data before transmission, using domains like update-claude[.]top or API endpoints mimicking legitimate services.

4. Anti-Analysis Evasion: Sleep obfuscation (delays via NtDelayExecution), string encryption (XOR with dynamic keys), and API hashing (resolving functions at runtime via PEB walking) thwart static analysis. It also monitors cursor position and mouse activity to detect human analysts.

Command-and-Control Infrastructure

Post-infection, the malware phones home to a C2 panel built on open-source frameworks like Covenant or Empire, customized for stealth. C2 communication uses domain generation algorithms (DGA) for fluxing IPs and WebSocket fallbacks if HTTP is blocked. Logs reveal campaigns active since mid-2024, with over 1,000 infections tracked across Europe and North America, peaking during developer conferences and AI hype cycles.

Victim data is auctioned on underground forums like Exploit.in or Russian-language Telegram channels, fetching $10-50 per credential set. Attackers, linked to Russian-speaking groups via code similarities with prior LummaStealer variants, prioritize high-value targets like GitHub users and crypto enthusiasts.

Mitigation Strategies

Defending against such threats requires layered approaches:

• Ad Blockers and Safe Browsing: Tools like uBlock Origin and browser extensions block malvertising domains.

• Endpoint Protection: Next-gen AV with behavioral analysis (e.g., detecting unusual registry writes or network beacons).

• User Education: Verify downloads from official sources (anthropic.com); scrutinize ads for typos or suspicious URLs.

• Enterprise Controls: Google Ads SafeSearch, DNS filtering (e.g., Quad9), and zero-trust access.

Google has suspended implicated accounts, but resurgence is common due to affiliate models where low-level operators earn commissions.

This campaign exemplifies how AI buzzwords weaponize legitimate search intent. As malvertising evolves, vigilance remains paramount in protecting digital workflows.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.