AhnLab said on Tuesday it confirmed a case in which a phishing site impersonating the generative AI service Claude distributed information-stealing malware, and urged users to be cautious.

The company said that as global interest in Claude has recently increased, it found a phishing site that closely mimicked Claude’s official homepage and lured users into downloading malware.

The site displays the phrase “Bring Claude to your Desktop” and provides download buttons by operating system such as Windows and macOS. When users click the download button for their OS, a pop-up window appears with installation instructions instead of downloading an actual installer file. The notice says the download will begin if users copy a specific command and paste it into the PC’s system. If users follow the process, malware is installed and steals files, browser-stored information and cryptocurrency wallet information from the PC, then sends them to an attacker’s server. This method, which disguises itself as guidance or error pop-ups and induces users to execute malicious commands themselves through copy-and-paste, is called the ClickFix technique and is actively used in various malware distribution attacks.

At the time it was discovered, the phishing site appeared at the top of results on Google when searching keywords such as “claude app” and “claude desktop”. AhnLab estimated the attacker manipulated exposure rankings using Google’s search advertising service to lure users trying to install Claude on their PCs.

Kim Dong-hyun (김동현), a manager at AhnLab who analysed the case, said, “Cases of distributing malware through phishing sites that precisely impersonate the latest trending or widely used well-known services continue to occur.” He said, “Many users tend to trust sites exposed at the top of search results, and as tactics that even manipulate exposure rankings are being used, special caution is needed.”