Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)

This report describes a campaign delivering malware via impersonated "Claude" download pages promoted through malicious Google search ads; the pages present OS-specific install instructions that lead to downloads tied to ACR Stealer. The author provides multiple IOCs — initial and follow-up download URLs, a JPEG linked in the chain, SHA256 hashes, file sizes and types, and an observed post-infection C2 domain — along with traffic captures showing infection behavior.