Ransomware , Malware ‘Claude Code install’ search result leads to ClickFix infostealer attack May 29, 2026 Share By Laura French (Credit: daily_creativity – stock.adobe.com) An attack impersonating the Claude Code installation process leverages search engine optimization (SEO) poisoning and ClickFix social engineering to stealthily execute a .NET-based infostealer, Cyderes’s Howler Cell disclosed Thursday . Researchers reported that the spoofed Claude Code installation page appeared at the top of search results for the search term “Claude Code install” and instructed victims to run a Windows MSHTA command to purportedly install the popular AI-powered coding tool. Instead, this command retrieves an MP3/HTA polyglot file from a remote server — a file that functions as a playable audio file but includes a malicious HTA script block. This method defeats file-type filtering defenses but enables MSHTA to execute the HTML application, kicking off the next stage of the attack. The HTA script spawns cmd.exe through a scheduled task and invokes the 32-bit PowerShell binary to execute an additional script. The use of the 32-bit binary adds an additional layer of evasion, as endpoint detection and response (EDR) telemetry tends to prioritize the 64-bit process, Cyderes said. This base64-encoded script performs a Windows Antimalware Scan Interface (AMSI) bypass by patching System.Management.Automation.AmsiUtils.amsiInitFailed in memory, decrypts RC4-encrypted string constants using a hardcoded key and fingerprints the victim machine to generate a unique subdomain using an MD5 has of the victim’s computer name and username to deliver the next payload. The response from the unique subdomain is executed in memory using the same 32-bit PowerShell process and consists of a heavily obfuscated 17 MB script designed to burden analysis through a combination of integer-encoded byte arrays, multi-layer string fragmentation, dynamic reassignment of variable names and three layers of encoding and encryption using base64, RC4 and XOR algorithms. The final payload is a reflective .NET-based infostealer executed entirely via the PowerShell process, which targets browser credentials and exfiltrates them to a Russia-based command-and-control (C2) server. Throughout the entire attack chain, the only file written to the disk is the initial MP3/HTA polyglot. Detecting and blocking the ‘Claude Code install’ ClickFix campaign Malicious campaigns impersonating popular AI tools pose a major risk to organizations, especially given the increasing prevalence of “shadow AI,” with a recent BlackFox study finding that 58% of workers use unapproved AI tools in the workplace. Cyderes Howler Cell researchers noted that the Claude Code impersonation campaign could impact less technically skilled employees who may be more susceptible to ClickFix social engineering, as the coding assistant lowers the barrier for non-developers to create custom productivity tools. Defenders can detect similar ClickFix attacks by blocking or alerting on outbound HTTPS connections to external infrastructure originating from the mshta.exe process, which is unusual in normal business settings. Spawning a 32-bit PowerShell process from a scheduled task is also rare and should be flagged as suspicious. While the campaign generates unique URLs per victim to deliver the final payload, wildcard blocking of the root domain (*.oakenfjrod[.]ru) can prevent its installation. Additionally, while the .NET infostealer executes without a file being written to the disk, Event Tracing for Windows (ETW) can detect when a .NET assembly is loaded from PowerShell. “The operators behind this campaign did not rely on a single trick. They stacked deliberate evasion choices end-to-end and produced a chain where each traditional detection surface, file-based AV, AMSI, DNS reputation, process-tree heuristics, and image-load monitoring, has been accounted for at the design stage,” the researchers concluded. An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More Laura French Related Breach Man arrested in Netherlands for hacking Ajax football club SC Staff May 28, 2026 The suspect, apprehended in Buren, is believed to have repeatedly accessed Ajax's computer systems without authorization earlier this year. Ransomware FBI warns law firms of in-person data theft by Silent Ransom Group SC Staff May 27, 2026 SRG actors initiate attacks by posing as IT support staff, contacting victims via phone calls or phishing emails to solicit a remote desktop session. Malware BTMOB Android RAT poses significant threat with easy-to-use builder SC Staff May 27, 2026 First identified in February 2025, BTMOB evolved from the SpySolr malware. Related Events Cybercast Ransomware reloaded: Finding resilience when attackers wield AI On-Demand Event Virtual Conference Ransomware Resilience: Strategies to Defend, Mitigate, and Recover On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware You can skip this ad in 5 seconds