Bad Ads, Worse Binaries: Fake Claude Code Installer Drops Infostealer

Summary

• Howler Cell identified an active SEO poisoning campaign targeting users searching for Claude Code installation guides
• Attackers placed a spoofed Anthropic install page at the top of search results and used a ClickFix lure to execute a malicious MSHTA command via the Windows Run dialog
• The delivery chain is six stages deep, fully fileless after Stage 1, and built to defeat file inspection, AMSI, EDR telemetry, sandbox analysis, and static IOC matching
• The final payload is a reflective .NET infostealer beaconing to Russian infrastructure at 185[.]177[.]239[.]255 for credential exfiltration
• The MP3/HTA polyglot payload passes file-type inspection as playable audio while executing as an HTA when processed by mshta.exe
• A per-victim subdomain structure derived from MD5(COMPUTERNAME+USERNAME) makes static IOC sharing ineffective at the URL level
• Anthropic is not compromised. The brand is being impersonated. The legitimate Claude Code installation path is unaffected.

Introduction

A first-time builder searched for "Claude Code install" because they finally believed they could build something. 

Claude Code has put software development within reach of people who never thought it possible. A small business owner who wants to automate their invoicing. A teacher building a custom grading tool. An entrepreneur who has an app idea and, for the first time, has a realistic path to shipping it. The barrier that kept non-technical people out of software creation for decades is collapsing fast, and Claude Code is at the center of that shift. That enthusiasm is exactly what this campaign exploits.

The victim here is not a careless IT administrator ignoring security policy. They are someone newly empowered, sitting down to install a tool they are genuinely excited about, following instructions that look completely legitimate. The attacker did not need to trick a security professional. They needed to be at the top of a search result when someone motivated, trusting, and technically inexperienced went looking for a getting-started guide. SEO poisoning put them there.

The spoofed Anthropic install page looked right. The instructions felt familiar: open a dialog, paste a command, complete the installation. This is the ClickFix playbook, a social engineering technique that frames attacker-supplied MSHTA commands as routine setup steps. It works precisely because the victim has no baseline for what legitimate installation should look like. There was no alarm. There was no hesitation. The command ran.

This is also the profile of a victim that rarely has enterprise security controls standing between them and a spoofed download page. No proxy filtering. No endpoint detection. No security team to call. What they have is a browser, a search engine, and instructions that look exactly like every other installation guide they have ever followed.

Threat actors running commodity infostealer operations track adoption curves. Claude Code's growth is not a footnote to this campaign. It is the attack surface. Howler Cell tracks campaigns like this one because the consequences land on real people: stolen credentials, drained accounts, and compromised identities. The technical analysis that follows documents exactly how the chain was built and what defenders can do about it.

Attack Chain at a Glance

• Initial Access: SEO-poisoned search result for "claude code install" leading to a spoofed Anthropic install page
• Execution: ClickFix lure prompts the user to paste a MSHTA command into Win+R
• Stage 1: mshta.exe retrieves an MP3/HTA polyglot payload from download.version-516[.]com
• Stage 2: HTA spawns cmd.exe, which runs an encoded PowerShell script (AMSI bypass, RC4 string decryption, victim fingerprinting via MD5 hash)
• Stage 3: Second PowerShell script downloaded from a per-victim subdomain on oakenfjrod[.]ru, executed entirely in memory
• Stage 4: Reflective .NET infostealer beaconing to 185[.]177[.]239[.]255:443 for credential exfiltration

Figure 1: Attack Flow - From poisoned search to infostealer beacon

Technical Analysis 

Initial Access

The victim searched for "Claude Code install" and clicked a poisoned result that redirected to a spoofed Anthropic install page impersonating the legitimate Claude Code download flow.

The page instructed the user to open the Windows Run dialog (Win+R) and paste a pre-staged mshta.exe command, framed as a required step to complete the installation. This establishes hands-on keyboard execution rather than automated drive-by delivery, which bypasses many endpoint controls that key on automated or scripted execution patterns.

The ClickFix technique succeeds here not because it is novel, but because it is well-matched to the target. A first-time developer following installation instructions has no baseline for what legitimate setup should or should not ask them to do. Pasting a command into a Run dialog is, to them, as plausible as any other step.

Defender note: Users reporting a Claude Code install page that asked them to paste a Run dialog command should be treated as a likely infection event, not a failed install.

Stage 1: Polyglot HTA Retrieval via mshta.exe

The pasted command invoked mshta.exe with an HTTPS URL pointing to download.version-516[.]com/claude, a software-update-themed lure domain.

The retrieved payload is a 6.7 MB MP3/HTA polyglot: a single file that satisfies the parsing rules of two formats simultaneously. It carries a valid ID3v2.4 tag, embedded JPEG cover art, and playable MPEG audio frames in the first ~4.7 MB. When mshta.exe processes the file, it parses linearly, moves past the audio content, reaches the embedded HTA script block, and executes it. Security tools inspecting the file header see a legitimate MP3. mshta.exe finds the script.

This construction defeats file-type filtering and content inspection tools that classify files by header or magic bytes. The audio content is real and playable, which means sandbox environments that open the file as media may deprioritize analysis entirely.

Figure 2: MP3/HTA polyglot - VLC sees playable audio; mshta.exe finds and executes the embedded HTA script block

Defender note: mshta.exe initiating outbound HTTPS connections to external infrastructure has no legitimate use in most enterprise environments. Blocking or alerting on mshta.exe network activity catches this stage regardless of payload obfuscation. MITRE: T1218.005.

Stage 2: Persistence and PowerShell Loader Execution

The HTA registered a scheduled task through the Schedule.Service COM object to spawn cmd.exe with delayed-expansion enabled. The command line reconstructed the string "powershell" at runtime using split variables to break static signature detection, then explicitly invoked the 32-bit PowerShell binary at %windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe. Targeting the 32-bit binary is deliberate: EDR telemetry coverage is frequently weighted toward 64-bit process activity.

The PowerShell script executed a Base64-encoded payload that performed three operations in sequence:

• AMSI bypass: patched System.Management.Automation.AmsiUtils.amsiInitFailed in memory via Marshal::WriteInt32, disabling in-process script scanning before any further stages are executed
• RC4 string decryption: decrypted sensitive string constants at runtime using the hardcoded key BWJFEesMEqRvjQbm, keeping indicators out of static analysis
• Victim fingerprinting: computed an MD5 hash of COMPUTERNAME+USERNAME to generate a unique subdomain label for the Stage 3 download URL

Figure 3: PowerShell loader execution showing Base64-encoded command and decoded Stage 3 download URL

Defender note: 32-bit PowerShell spawned from a scheduled task registered via COM object is rare in enterprise environments and a high-confidence detection signal. MITRE: T1059.001, T1562.001, T1027.

Stage 3: Per-Victim PowerShell Retrieval from oakenfjrod[.]ru

Stage 2 used the MD5 victim fingerprint as a subdomain label to construct a unique retrieval URL:

https://<MD5_HASH>.oakenfjrod[.]ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1

The loader issued an HTTPS GET request to this URL and piped the response directly into IEX for in-memory execution under the same 32-bit PowerShell process, inheriting the AMSI-disabled state from Stage 2. Nothing was written to disk.

The retrieved Stage 3 script is approximately 17 MB. Legitimate loaders are typically under 100 KB. This is not accidental bloat. The size is engineered to break automated deobfuscators, exhaust sandbox memory limits, and tax human analysts. Key obfuscation characteristics:

• Massive integer-encoded byte arrays that must be reconstructed before any logic surfaces
• Multi-layer string fragmentation using split-and-concatenate chains and character-code substitution
• Runtime variable name mangling, with identifiers reassigned dynamically to break cross-references
• Stacked Base64 and RC4 decryption layers that must be unwound in the correct sequence
• A third XOR layer using the key AMSI_RESULT_NOT_DETECTED
• Embedded reflective .NET shellcode carried inline as a byte array, removing the need for an additional network fetch

Figure 4: Stage 3 - 17 MB obfuscated PowerShell script with integer-encoded byte arrays and runtime variable mangling

Figure 5: Second decryption layer revealed after unwinding Base64 and RC4 stacking

Figure 6: XOR key AMSI_RESULT_NOT_DETECTED extracted from Stage 3 script

The per-victim subdomain structure makes static IOC sharing nearly worthless. Every victim URL is unique and non-reusable. Sharing the domain oakenfjrod[.]ru is meaningful; sharing specific URLs is not.

Defender note: DNS queries to *.oakenfjrod[.]ru are a strong indicator of compromise. Wildcard blocking on the domain is more effective than per-subdomain IOC matching. MITRE: T1568, T1620.

Stage 4: Reflective .NET Infostealer

The terminal stage is a .NET-based infostealer delivered as raw bytes embedded inside the Stage 3 PowerShell script. It is never written to disk, never loaded as a module, and never spawns a child process. The entire stealer executes inside the existing powershell.exe address space.

The loading technique abuses the .NET Framework's built-in ability to execute managed code directly from a byte array in memory via Assembly.Load(byte[]). This is functionally equivalent to techniques used by Cobalt Strike's execute-assembly, Donut, and SharpSploit, but executed entirely from PowerShell without an unmanaged loader stub. No file artifact. No new process. No image-load event for defenders to anchor on.

The infostealer beacons over HTTPS to 185[.]177[.]239[.]255:443 for command and control and credential exfiltration. SensitiveFileRead telemetry confirms browser credential store access during execution.

Figure 7: Reflective .NET loader - final shellcode executes entirely within the existing PowerShell process address space

Defender note: .NET assembly loads from PowerShell without a corresponding file on disk are detectable via ETW (Event Tracing for Windows) and process memory inspection. EDR platforms with .NET assembly load visibility catch this where file-based controls do not. MITRE: T1620, T1555.003, T1041.

Conclusion

The operators behind this campaign did not rely on a single trick. They stacked deliberate evasion choices end-to-end and produced a chain where each traditional detection surface, file-based AV, AMSI, DNS reputation, process-tree heuristics, and image-load monitoring, has been accounted for at the design stage.

The MP3/HTA polyglot defeats file-type filtering. The 32-bit PowerShell invocation reduces EDR telemetry coverage. The AMSI bypass clears the path for in-memory execution. The 17 MB Stage 3 script is sized to break analysis tooling and exhaust sandbox resources. The per-victim subdomain structure neutralizes static IOC sharing. The reflective .NET final stage leaves no file, no new process, and no image-load artifact.

What makes this campaign notable is not the novelty of any individual technique. Each component is documented and understood. What is notable is the targeting logic: a rapidly growing population of non-technical users with high motivation, low threat awareness, and a search engine that, for a moment, put the attacker exactly where a legitimate download page should have been.

Howler Cell will continue tracking the infrastructure tied to this campaign, including download.version-516[.]com, oakenfjrod[.]ru, and 185[.]177[.]239[.]255, and will publish updates as the operator rotates infrastructure or evolves the loader chain.

Appendix 

Indicators of Compromise

MITRE ATT&CK Mapping