Indicators of Compromise (IOCs)
| IOC Type | Value | Notes |
|---|---|---|
| Domain (malicious) | clude-promo-offer[.]com | Typosquat of claude.com — missing "a" |
| File delivered | installer.exe | Windows PE executable — do not run |
| Ad sponsor name | BlockFlow | No relationship with Anthropic |
| Meta pixel ID | 1360099919291289 | Tracking pixel embedded in ad |
| Meta campaign ID | 120246120865360573 | From UTM parameters |
| Ad display URL | CLAUDE.COM | Shown in ad — misleading |
| Actual click URL | clude-promo-offer[.]com | Visible in browser status bar on hover |
| First observed | 21 May 2026, ~22:00 EEST | Elmahrosa observation, Egypt |
| Target region | MENA | Delivered to Egypt-based Facebook accounts |
⚠ Do not
Do not visit clude-promo-offer.com. Do not download or execute installer.exe from this domain. If you have already downloaded the file: do not open it. Delete it immediately and empty the Recycle Bin.
If you have already downloaded the file
- 01Do not open the file. Delete it from your Downloads folder. Empty the Recycle Bin.
- 02Disconnect from the internet if you opened the file, to prevent credential exfiltration.
- 03Run a full scan with Windows Defender → Full scan. Then a second-opinion scan with Malwarebytes Free.
- 04Change passwords from a clean separate device: Anthropic Portal, all Gmail accounts, GitHub, Hostinger, LinkedIn, any crypto wallet.
- 05Revoke active sessions in Gmail, GitHub, and Anthropic Console.
How to verify a Claude download is legitimate
The only legitimate Claude-branded downloads are hosted on Anthropic-controlled domains:
- ✓claude.ai — Main Claude web app and download portal
- ✓anthropic.com — Official company website
- ✓claude.com — Anthropic-owned redirect domain
Reporting similar threats
- →Report to Anthropic: security@anthropic.com
- →Report the Facebook ad: ··· menu on the ad → Report Ad → Scam or fraud
- →Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish/
- →Report to Elmahrosa: ayman@elmahrosa.org