Fake Claude Code Installers Deliver Credential-Stealing Malware
Security researchers describe an active SEO-poisoning and malvertising campaign that places spoofed Claude Code install pages at the top of search results, then uses a ClickFix lure to trick users into running a malicious MSHTA command that delivers a fileless infostealer. Cyderes' Howler Cell reports a multi-stage, largely fileless chain ending in a reflective .NET infostealer that beacons to 185.177.239.255 for command-and-control and browser-credential theft; EclecticIQ, SC Media, Trend Micro, and others corroborate parallel spoofing of Claude Code and Gemini CLI install pages. Reported techniques include an MP3/HTA polyglot that passes file-type inspection while executing under mshta.exe, plus per-victim artifacts that weaken static IOC matching. Cyderes states that Anthropic and the legitimate Claude Code install path are not compromised; the campaign impersonates the brand to target developers, small-business owners, and others who lack enterprise-grade defenses.
What happened
Security teams report an active SEO-poisoning and malvertising campaign that targets people searching for how to install Claude Code. Cyderes' Howler Cell describes a spoofed Anthropic install page promoted to the top of search results, where a ClickFix lure instructs the user to open the Windows Run dialog and paste a malicious mshta.exe command. EclecticIQ, SC Media, Trend Micro, Infosecurity Magazine, and Hackread report parallel spoofing of Claude Code and Gemini CLI install pages that lead to the same family of fileless infostealers.
Technical details
Cyderes reports a delivery chain roughly six stages deep and fully fileless after the first stage, designed to defeat file inspection, AMSI, EDR telemetry, sandbox analysis, and static IOC matching. An MP3/HTA polyglot passes file-type inspection as playable audio while executing as an HTA when processed by mshta.exe. The chain ends in a reflective .NET infostealer that beacons over HTTPS to 185.177.239.255 for command-and-control and credential exfiltration, with file-read telemetry confirming access to browser credential stores.
Evasion and targeting
Researchers note a per-victim subdomain scheme derived from a hash of the computer and user name, which reduces the value of static URL blocklists. Because execution is hands-on-keyboard through the Run dialog, the lure also sidesteps many automated sandbox checks. Cyderes frames the likely victims as developers, entrepreneurs, small-business owners, and educators adopting AI coding tools without enterprise-grade endpoint protection.
Attribution and scope
Cyderes states explicitly that Anthropic and the legitimate Claude Code install path are not compromised; the campaign impersonates the brand. Multiple vendors have observed similar spoofing and payload patterns across install pages for other developer tools, indicating a reusable playbook rather than a one-off lure.
For defenders
- •Treat sponsored and top-ranked install links as untrusted, and verify install commands against the vendor's official domain.
- •Alert on mshta.exe spawned from a browser or the Run dialog, reflective .NET loads, and processes reading browser credential files.
- •Prefer behavioral detections over static IOCs, since per-victim subdomains and fileless stages shorten the useful life of indicators.
Key Points
- 1Spoofed Claude Code install pages in paid search results use a ClickFix lure to deliver fileless infostealers, enabling credential theft at scale.
- 2Attackers swap a single host into a familiar install command, then chain obfuscated PowerShell, MSHTA, and an MP3/HTA polyglot to evade static and sandbox detection.
- 3Defenders gain higher-fidelity signals from behavioral detections on mshta.exe, reflective .NET activity, and browser-key exfiltration than from static URL or IOC lists.
Scoring Rationale
A practitioner-relevant supply-of-trust attack: spoofed Claude Code install pages in paid search deliver a fileless infostealer that harvests developer and browser credentials. It matters to endpoint, security, and developer-tooling teams because per-victim artifacts and fileless stages blunt static IOCs, but it is an evolving criminal campaign rather than a novel, industry-defining capability.
Sources
Public references used for this report.
View 11 more sources
- 04'Claude Code install' search result leads to ClickFix infostealer attackscworld.com
- 05Fake Gemini and Claude Code Sites Spread Infostealers Through SEO Poisoninginfosecurity-magazine.com
- 06Fake Claude Code Installer Targets Developers With Browser ...hackread.com
- 07Fake Claude Code, Real Malware: Inside the Campaign Targeting ...straiker.ai
- 08Claude Fraud - When Trusted Tools Become the Attack Surface - Blogblog.7ai.com
- 09LLMShare: using shared chatbot pages to distribute malwarepushsecurity.com
- 10Fake Claude Code Installation Pages Infostealer Threatslumificyber.com
- 11Fake Claude Code Packages Can Steal Developer Credentialstrustifi.com
- 12Malware campaign impersonating Claude Code install via Google Adsgithub.com
- 13Poisoning Claude Code: One GitHub Issue to Break the Supply Chainflatt.tech
- 14Fake Claude Code Installers Deliver Credential-Stealing Malwareitsecuritynews.info
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
