A first-time builder searched for "Claude Code install" because they finally believed they could build something.
Claude Code has put software development within reach of people who never thought it possible. A small business owner who wants to automate their invoicing. A teacher building a custom grading tool. An entrepreneur who has an app idea and, for the first time, has a realistic path to shipping it. The barrier that kept non-technical people out of software creation for decades is collapsing fast, and Claude Code is at the center of that shift. That enthusiasm is exactly what this campaign exploits.
The victim here is not a careless IT administrator ignoring security policy. They are someone newly empowered, sitting down to install a tool they are genuinely excited about, following instructions that look completely legitimate. The attacker did not need to trick a security professional. They needed to be at the top of a search result when someone motivated, trusting, and technically inexperienced went looking for a getting-started guide. SEO poisoning put them there.
The spoofed Anthropic install page looked right. The instructions felt familiar: open a dialog, paste a command, complete the installation. This is the ClickFix playbook, a social engineering technique that frames attacker-supplied MSHTA commands as routine setup steps. It works precisely because the victim has no baseline for what legitimate installation should look like. There was no alarm. There was no hesitation. The command ran.
This is also the profile of a victim that rarely has enterprise security controls standing between them and a spoofed download page. No proxy filtering. No endpoint detection. No security team to call. What they have is a browser, a search engine, and instructions that look exactly like every other installation guide they have ever followed.
Threat actors running commodity infostealer operations track adoption curves. Claude Code's growth is not a footnote to this campaign. It is the attack surface. Howler Cell tracks campaigns like this one because the consequences land on real people: stolen credentials, drained accounts, and compromised identities. The technical analysis that follows documents exactly how the chain was built and what defenders can do about it.
Figure 1: Attack Flow - From poisoned search to infostealer beacon
The victim searched for "Claude Code install" and clicked a poisoned result that redirected to a spoofed Anthropic install page impersonating the legitimate Claude Code download flow.
The page instructed the user to open the Windows Run dialog (Win+R) and paste a pre-staged mshta.exe command, framed as a required step to complete the installation. This establishes hands-on keyboard execution rather than automated drive-by delivery, which bypasses many endpoint controls that key on automated or scripted execution patterns.
The ClickFix technique succeeds here not because it is novel, but because it is well-matched to the target. A first-time developer following installation instructions has no baseline for what legitimate setup should or should not ask them to do. Pasting a command into a Run dialog is, to them, as plausible as any other step.
Defender note: Users reporting a Claude Code install page that asked them to paste a Run dialog command should be treated as a likely infection event, not a failed install.
The pasted command invoked mshta.exe with an HTTPS URL pointing to download.version-516[.]com/claude, a software-update-themed lure domain.
The retrieved payload is a 6.7 MB MP3/HTA polyglot: a single file that satisfies the parsing rules of two formats simultaneously. It carries a valid ID3v2.4 tag, embedded JPEG cover art, and playable MPEG audio frames in the first ~4.7 MB. When mshta.exe processes the file, it parses linearly, moves past the audio content, reaches the embedded HTA script block, and executes it. Security tools inspecting the file header see a legitimate MP3. mshta.exe finds the script.
This construction defeats file-type filtering and content inspection tools that classify files by header or magic bytes. The audio content is real and playable, which means sandbox environments that open the file as media may deprioritize analysis entirely.
Figure 2: MP3/HTA polyglot - VLC sees playable audio; mshta.exe finds and executes the embedded HTA script block
Defender note: mshta.exe initiating outbound HTTPS connections to external infrastructure has no legitimate use in most enterprise environments. Blocking or alerting on mshta.exe network activity catches this stage regardless of payload obfuscation. MITRE: T1218.005.
The HTA registered a scheduled task through the Schedule.Service COM object to spawn cmd.exe with delayed-expansion enabled. The command line reconstructed the string "powershell" at runtime using split variables to break static signature detection, then explicitly invoked the 32-bit PowerShell binary at %windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe. Targeting the 32-bit binary is deliberate: EDR telemetry coverage is frequently weighted toward 64-bit process activity.
The PowerShell script executed a Base64-encoded payload that performed three operations in sequence:
Figure 3: PowerShell loader execution showing Base64-encoded command and decoded Stage 3 download URL
Defender note: 32-bit PowerShell spawned from a scheduled task registered via COM object is rare in enterprise environments and a high-confidence detection signal. MITRE: T1059.001, T1562.001, T1027.
Stage 2 used the MD5 victim fingerprint as a subdomain label to construct a unique retrieval URL:
https://<MD5_HASH>.oakenfjrod[.]ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1
The loader issued an HTTPS GET request to this URL and piped the response directly into IEX for in-memory execution under the same 32-bit PowerShell process, inheriting the AMSI-disabled state from Stage 2. Nothing was written to disk.
The retrieved Stage 3 script is approximately 17 MB. Legitimate loaders are typically under 100 KB. This is not accidental bloat. The size is engineered to break automated deobfuscators, exhaust sandbox memory limits, and tax human analysts. Key obfuscation characteristics:
Figure 4: Stage 3 - 17 MB obfuscated PowerShell script with integer-encoded byte arrays and runtime variable mangling
Figure 5: Second decryption layer revealed after unwinding Base64 and RC4 stacking
Figure 6: XOR key AMSI_RESULT_NOT_DETECTED extracted from Stage 3 script
The per-victim subdomain structure makes static IOC sharing nearly worthless. Every victim URL is unique and non-reusable. Sharing the domain oakenfjrod[.]ru is meaningful; sharing specific URLs is not.
Defender note: DNS queries to *.oakenfjrod[.]ru are a strong indicator of compromise. Wildcard blocking on the domain is more effective than per-subdomain IOC matching. MITRE: T1568, T1620.
The terminal stage is a .NET-based infostealer delivered as raw bytes embedded inside the Stage 3 PowerShell script. It is never written to disk, never loaded as a module, and never spawns a child process. The entire stealer executes inside the existing powershell.exe address space.
The loading technique abuses the .NET Framework's built-in ability to execute managed code directly from a byte array in memory via Assembly.Load(byte[]). This is functionally equivalent to techniques used by Cobalt Strike's execute-assembly, Donut, and SharpSploit, but executed entirely from PowerShell without an unmanaged loader stub. No file artifact. No new process. No image-load event for defenders to anchor on.
The infostealer beacons over HTTPS to 185[.]177[.]239[.]255:443 for command and control and credential exfiltration. SensitiveFileRead telemetry confirms browser credential store access during execution.
Figure 7: Reflective .NET loader - final shellcode executes entirely within the existing PowerShell process address space
Defender note: .NET assembly loads from PowerShell without a corresponding file on disk are detectable via ETW (Event Tracing for Windows) and process memory inspection. EDR platforms with .NET assembly load visibility catch this where file-based controls do not. MITRE: T1620, T1555.003, T1041.
The operators behind this campaign did not rely on a single trick. They stacked deliberate evasion choices end-to-end and produced a chain where each traditional detection surface, file-based AV, AMSI, DNS reputation, process-tree heuristics, and image-load monitoring, has been accounted for at the design stage.
The MP3/HTA polyglot defeats file-type filtering. The 32-bit PowerShell invocation reduces EDR telemetry coverage. The AMSI bypass clears the path for in-memory execution. The 17 MB Stage 3 script is sized to break analysis tooling and exhaust sandbox resources. The per-victim subdomain structure neutralizes static IOC sharing. The reflective .NET final stage leaves no file, no new process, and no image-load artifact.
What makes this campaign notable is not the novelty of any individual technique. Each component is documented and understood. What is notable is the targeting logic: a rapidly growing population of non-technical users with high motivation, low threat awareness, and a search engine that, for a moment, put the attacker exactly where a legitimate download page should have been.
Howler Cell will continue tracking the infrastructure tied to this campaign, including download.version-516[.]com, oakenfjrod[.]ru, and 185[.]177[.]239[.]255, and will publish updates as the operator rotates infrastructure or evolves the loader chain.
|
Type |
Value |
Description |
|
Domain |
download.version-516[.]com |
HTA payload delivery: fake Claude download site |
|
Domain |
oakenfjrod[.]ru |
Stage 3 C2 (wildcard: *.oakenfjrod[.]ru) |
|
IP |
185[.]177[.]239[.]255 |
Final stealer C2 IP |
|
URL |
https://[md5_16char].oakenfjrod[.]ru/cloude-[uuid] |
Per-victim C2 beacon URL structure |
|
Technique ID |
Name |
Detail |
|
T1204.003 |
User Execution: Malicious Link / ClickFix |
Win+R paste of attacker-supplied MSHTA command |
|
T1218.005 |
Signed Binary Proxy: mshta.exe |
mshta.exe fetched and executed remote HTA payload |
|
T1059.001 |
PowerShell |
Encoded command with Base64 and RC4 obfuscation |
|
T1027 |
Obfuscated Files or Information |
RC4 encryption of sensitive string literals at runtime |
|
T1562.001 |
Impair Defenses: AMSI Bypass |
Marshal::WriteInt32 to set amsiInitFailed via reflection |
|
T1620 |
Reflective Code Loading |
Reflective .NET stealer loaded entirely in memory |
|
T1071.001 |
Application Layer Protocol: Web |
HTTPS C2 on port 443 for all stages |
|
T1568 |
Dynamic Resolution |
Per-victim C2 subdomain derived from MD5(COMPUTERNAME+USERNAME) |
|
T1555.003 |
Credentials from Browser |
SensitiveFileRead events confirm browser credential store access |
|
T1041 |
Exfiltration Over C2 Channel |
Data exfiltrated to 185[.]177[.]239[.]255 |