Ransomware, Malware

‘Claude Code install’ search result leads to ClickFix infostealer attack

(Credit: daily_creativity – stock.adobe.com)

An attack impersonating the Claude Code installation process leverages search engine optimization (SEO) poisoning and ClickFix social engineering to stealthily execute a .NET-based infostealer, Cyderes’s Howler Cell disclosed Thursday.

Researchers reported that the spoofed Claude Code installation page appeared at the top of search results for the search term “Claude Code install” and instructed victims to run a Windows MSHTA command to purportedly install the popular AI-powered coding tool.

Instead, this command retrieves an MP3/HTA polyglot file from a remote server — a file that functions as a playable audio file but includes a malicious HTA script block. This method defeats file-type filtering defenses but enables MSHTA to execute the HTML application, kicking off the next stage of the attack.

The HTA script spawns cmd.exe through a scheduled task and invokes the 32-bit PowerShell binary to execute an additional script. The use of the 32-bit binary adds an additional layer of evasion, as endpoint detection and response (EDR) telemetry tends to prioritize the 64-bit process, Cyderes said.

This base64-encoded script performs a Windows Antimalware Scan Interface (AMSI) bypass by patching System.Management.Automation.AmsiUtils.amsiInitFailed in memory, decrypts RC4-encrypted string constants using a hardcoded key and fingerprints the victim machine to generate a unique subdomain using an MD5 has of the victim’s computer name and username to deliver the next payload.

The response from the unique subdomain is executed in memory using the same 32-bit PowerShell process and consists of a heavily obfuscated 17 MB script designed to burden analysis through a combination of integer-encoded byte arrays, multi-layer string fragmentation, dynamic reassignment of variable names and three layers of encoding and encryption using base64, RC4 and XOR algorithms.

The final payload is a reflective .NET-based infostealer executed entirely via the PowerShell process, which targets browser credentials and exfiltrates them to a Russia-based command-and-control (C2) server. Throughout the entire attack chain, the only file written to the disk is the initial MP3/HTA polyglot.

Detecting and blocking the ‘Claude Code install’ ClickFix campaign

Malicious campaigns impersonating popular AI tools pose a major risk to organizations, especially given the increasing prevalence of “shadow AI,” with a recent BlackFox study finding that 58% of workers use unapproved AI tools in the workplace.

Cyderes Howler Cell researchers noted that the Claude Code impersonation campaign could impact less technically skilled employees who may be more susceptible to ClickFix social engineering, as the coding assistant lowers the barrier for non-developers to create custom productivity tools.

Defenders can detect similar ClickFix attacks by blocking or alerting on outbound HTTPS connections to external infrastructure originating from the mshta.exe process, which is unusual in normal business settings. Spawning a 32-bit PowerShell process from a scheduled task is also rare and should be flagged as suspicious.

While the campaign generates unique URLs per victim to deliver the final payload, wildcard blocking of the root domain (*.oakenfjrod[.]ru) can prevent its installation. Additionally, while the .NET infostealer executes without a file being written to the disk, Event Tracing for Windows (ETW) can detect when a .NET assembly is loaded from PowerShell.

“The operators behind this campaign did not rely on a single trick. They stacked deliberate evasion choices end-to-end and produced a chain where each traditional detection surface, file-based AV, AMSI, DNS reputation, process-tree heuristics, and image-load monitoring, has been accounted for at the design stage,” the researchers concluded.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds