An attack impersonating the Claude Code installation process leverages search engine optimization (SEO) poisoning and ClickFix social engineering to stealthily execute a .NET-based infostealer, Cyderes’s Howler Cell disclosed Thursday.Researchers reported that the spoofed Claude Code installation page appeared at the top of search results for the search term “Claude Code install” and instructed victims to run a Windows MSHTA command to purportedly install the popular AI-powered coding tool.Instead, this command retrieves an MP3/HTA polyglot file from a remote server — a file that functions as a playable audio file but includes a malicious HTA script block. This method defeats file-type filtering defenses but enables MSHTA to execute the HTML application, kicking off the next stage of the attack.The HTA script spawns cmd.exe through a scheduled task and invokes the 32-bit PowerShell binary to execute an additional script. The use of the 32-bit binary adds an additional layer of evasion, as endpoint detection and response (EDR) telemetry tends to prioritize the 64-bit process, Cyderes said.This base64-encoded script performs a Windows Antimalware Scan Interface (AMSI) bypass by patching System.Management.Automation.AmsiUtils.amsiInitFailed in memory, decrypts RC4-encrypted string constants using a hardcoded key and fingerprints the victim machine to generate a unique subdomain using an MD5 has of the victim’s computer name and username to deliver the next payload.The response from the unique subdomain is executed in memory using the same 32-bit PowerShell process and consists of a heavily obfuscated 17 MB script designed to burden analysis through a combination of integer-encoded byte arrays, multi-layer string fragmentation, dynamic reassignment of variable names and three layers of encoding and encryption using base64, RC4 and XOR algorithms.The final payload is a reflective .NET-based infostealer executed entirely via the PowerShell process, which targets browser credentials and exfiltrates them to a Russia-based command-and-control (C2) server. Throughout the entire attack chain, the only file written to the disk is the initial MP3/HTA polyglot.
Ransomware, Malware
‘Claude Code install’ search result leads to ClickFix infostealer attack

(Credit: daily_creativity – stock.adobe.com)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds



