CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 05, 2026

Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer

Cybersecurity News Archived Jun 05, 2026 ✓ Full text saved

Hackers are exploiting the excitement around AI coding tools by targeting users who search for Claude Code installation guides. An active campaign uses fake installer pages to silently steal credentials from unsuspecting victims. The attackers use SEO poisoning to push a spoofed Anthropic install page to the top of search results. Once a user lands […] The post Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Penetration testing services Malware removal software Incident response services HomeCyber Security News Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer By Tushar Subhra Dutta June 4, 2026 Hackers are exploiting the excitement around AI coding tools by targeting users who search for Claude Code installation guides. An active campaign uses fake installer pages to silently steal credentials from unsuspecting victims. The attackers use SEO poisoning to push a spoofed Anthropic install page to the top of search results. Once a user lands there, the trap is set. The campaign is designed for a very specific audience. Rather than targeting IT professionals, it goes after first-time developers and non-technical users excited about a new tool. These users have no baseline for what a real installation process looks like, making them more likely to follow instructions without question. The delivery chain is six stages deep and almost entirely fileless after the first step. Analysts from Cyderes, through their threat research unit Howler Cell, identified this active SEO poisoning campaign targeting users searching for Claude Code installation guides. According to Cyderes report shared with Cyber Security News (CSN), attackers placed a spoofed Anthropic install page at the top of search results and used a ClickFix lure to execute a malicious MSHTA command via the Windows Run dialog. The final payload is a reflective .NET infostealer that beacons to Russian infrastructure for credential exfiltration. The consequences of a successful infection are serious. Stolen credentials, drained accounts, and compromised identities are among the real-world outcomes Howler Cell flagged in their analysis. Many victims have no enterprise security controls between them and a spoofed download page. Anthropic is not compromised and its brand is simply being impersonated. What makes this campaign stand out is the deliberate targeting logic. Operators tracked Claude Code’s rapid adoption and turned it into an attack surface. The delivery chain was engineered to defeat file inspection, AMSI scanning, EDR telemetry, sandbox analysis, and IOC matching at every layer. Hackers Use Fake Claude Code Install Page The attack starts when a user searches for “Claude Code install” and clicks what looks like a legitimate Anthropic setup page. The page instructs the visitor to open the Windows Run dialog and paste a pre-staged mshta.exe command, framed as a required step. This is the ClickFix method, a social engineering technique that disguises attacker-controlled MSHTA commands as routine setup steps. Stage 1 begins when mshta.exe retrieves a 6.7 MB MP3/HTA polyglot payload from download.version-516[.]com/claude. This file passes as playable audio during security scans while hiding an executable HTA script block inside. When mshta.exe processes the file, it skips the audio and runs the hidden script. Security tools inspecting the file header see a legitimate MP3, not a threat. MP3 – HTA polyglot — VLC sees playable audio; mshta.exe finds and executes the embedded HTA script block (Source – Cyderes) Stage 2 uses the HTA to register a scheduled task via a COM object, spawning a 32-bit PowerShell process. Targeting the 32-bit binary is intentional because EDR coverage is often weighted toward 64-bit activity. The script performs an AMSI bypass, RC4 decryption, and victim fingerprinting via an MD5 hash of the machine and username. Stage 3 fetches a 17 MB obfuscated script in memory from a unique subdomain on oakenfjrod[.]ru, leaving nothing on disk. Reflective .NET Infostealer: Fileless and Hard to Catch The final stage is a reflective .NET infostealer that runs entirely within the existing PowerShell process address space. It leaves no file artifact, spawns no new process, and creates no image-load event for defenders to anchor on. The loading method mirrors techniques used by advanced tools like Cobalt Strike, but executed fully from PowerShell. Reflective .NET loader — final shellcode executes entirely within the existing PowerShell process address space (Source – Cyderes) The infostealer beacons over HTTPS to 185[.]177[.]239[.]255:443 for command and control and credential theft. SensitiveFileRead telemetry confirmed browser credential store access during execution. EDR platforms with .NET assembly load visibility can detect this where file-based controls cannot. Defenders should treat any Claude Code install page prompting a Run dialog paste as a likely infection event. Blocking mshta.exe outbound HTTPS connections covers Stage 1 regardless of obfuscation. DNS queries to any subdomain of oakenfjrod[.]ru are a strong compromise indicator, and wildcard domain blocking is far more effective than per-subdomain IOC matching. Indicators of Compromise (IoCs):- Type Indicator Description Domain download.version-516[.]com HTA payload delivery; fake Claude Code download site Domain oakenfjrod[.]ru Stage 3 C2 (wildcard: *.oakenfjrod[.]ru) IP 185[.]177[.]239[.]255 Final stealer C2 IP for credential exfiltration URL https://[md5_16char].oakenfjrod[.]ru/claude-[uuid] Per-victim C2 beacon URL structure Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Critical StrongDM Vulnerability Allows Attackers to Steal and Reuse Authentication Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users Latest News Cyber Security News Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials Cyber Security News CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks Cyber Security Anthropic’s Claude Oceanus-v1-p Opens to Red Team Testing, but Distribution is Compromised Cyber Security News Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks Cyber Security News Proofpoint Warns TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 05, 2026
    Archived
    Jun 05, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗