Kai Ole Hartwig — Blog
14 min read
High
By

Fake Claude Code installer via ClickFix: a fileless infostealer behind an MP3/HTA polyglot — and why it hits the beginners

31 May 2026. The threat-intel team Howler Cell (Cyderes) disclosed an active campaign on 28 May that uses SEO poisoning to push a fake Claude Code install page to the top of search results and uses a ClickFix lure to get first-time users to paste an mshta.exe command into the Windows Run dialog (Win+R). Behind it lies a six-stage chain that is fully fileless after stage 1: a 6.7 MB MP3/HTA polyglot, a deliberately chosen 32-bit PowerShell with an AMSI bypass, a per-victim subdomain on oakenfjrod[.]ru and a reflectively in-memory-loaded .NET infostealer that exfiltrates browser credentials to Russian infrastructure. Anthropic itself is not compromised — the brand is impersonated, the legitimate install path is untouched; the targets are deliberately motivated beginners without EDR, whose laptop then becomes the entry point into corporate identities.

TL;DR — the 90-second summary

What was published?

Cyderes Howler Cell report (28 May 2026): an active SEO-poisoning campaign that places a fake Anthropic / Claude Code install page at the top of search results. Via a ClickFix social-engineering lure, the victim is instructed to paste an mshta.exe command into the Win+R dialog. Result: a fileless infostealer that steals browser credentials.

How severe?

High (operational rating — no CVE, no CVSS). Active in-the-wild campaign with credential theft; entry is social-engineering-gated (the user has to run the command themselves). The impact is identity theft: the browser credential store, then potentially sessions, tokens and everything the compromised account can reach.

Who is the target?

First-time users of Claude Code — per Cyderes explicitly small business owners, the self-employed, teachers, beginners without enterprise protection (no proxy filtering, no EDR, no security team). The victim profile is not the careless admin but the motivated beginner with no baseline for what a legitimate installation should look like.

Am I affected?

Not through a flaw in any of your products — the campaign uses no software vulnerability, only social engineering. You are affected through your people: anyone on your team (or in the wider circle) installing Claude Code or a comparable AI CLI tool for the first time and hitting a fake guide. A compromised developer laptop yields browser credentials and with them often the path to Git, cloud and CI/CD access.

Immediate action?

Three points. First, awareness: you never install Claude Code by pasting a command into the Windows Run dialog — an install page that demands this is an attack. Second, sharpen detection: outbound connections from mshta.exe, 32-bit PowerShell from scheduled tasks, DNS wildcard queries to *.oakenfjrod[.]ru. Third, on suspicion immediately rotate credentials (browser passwords, sessions, OAuth tokens) and treat the laptop as compromised.

Criticality?

Hero badge high (operational rating). Active campaign; Cyderes keeps tracking the infrastructure (download.version-516[.]com, oakenfjrod[.]ru, 185.177.239.255) as the operator rotates it.

 

What happened

Howler Cell, the threat-intelligence team of the security firm Cyderes, documented an active credential-theft campaign on 28 May 2026 that specifically targets first-time users of Anthropic's Claude Code. The entry point is SEO poisoning: anyone searching for “Claude Code install” lands on a fake Anthropic page that ranks above the legitimate source in the search results. The page looks convincing and follows a familiar pattern — open a dialog, paste a command, complete the installation.

That step is the trap. It is the ClickFix technique: a social-engineering method that frames an attacker-supplied mshta.exe command as a harmless installation step. The victim opens the Windows Run dialog (Win+R) and pastes the command. This establishes “hands-on-keyboard” execution — manually triggered by the user rather than automated — which bypasses many automated sandbox and endpoint controls that key on scripted drive-by patterns.

The decisive point from the Cyderes report is the victim profile. The target is not the careless IT administrator but the newly empowered beginner: the small business owner who wants to automate their invoicing; the teacher building a grading tool; the founder with an app idea. This group is growing rapidly thanks to AI coding tools but rarely has enterprise protection — no proxy filtering, no EDR, no security team — and no baseline for what a legitimate installation should look like. Pasting a command into a dialog is as plausible to them as any other step. Cyderes puts it plainly: Claude Code's adoption curve is not a footnote to this campaign, it is the attack surface.

Important for context: Cyderes explicitly confirms that Anthropic itself was not compromised. The brand is impersonated, the legitimate Claude Code install path is untouched. This campaign is a technically independent actor track in the same theme family as the installer-impersonation wave against Claude Code and Gemini CLI documented in May — see my strategic assessment of it: When installing the AI tool becomes the trap.

Technical assessment

The chain is fully fileless after stage 1 and deliberately built around every traditional detection surface — file-based AV, AMSI, DNS reputation, process-tree heuristics and image-load monitoring are each accounted for in the design. In order:

Stage 1 — MP3/HTA polyglot via mshta.exe

The pasted command invokes mshta.exe with an HTTPS URL at download.version-516[.]com/claude — a software-update-themed lure domain. The retrieved payload is a 6.7 MB MP3/HTA polyglot: a single file that satisfies the parsing rules of two formats at once. It carries a valid ID3v2.4 tag, embedded JPEG cover art and playable MPEG audio frames in the first ~4.7 MB. Security tools classifying the file by header see a legitimate MP3. mshta.exe, by contrast, parses linearly, moves past the audio content and executes the embedded HTA script block.

Stage 2 — persistence and 32-bit PowerShell loader

The HTA registers a scheduled task via the Schedule.Service COM object that starts cmd.exe. The command line reconstructs the string “powershell” at runtime from split variables (against static signatures) and explicitly invokes the 32-bit PowerShell at %windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe. This choice is deliberate: EDR telemetry coverage is frequently weighted toward 64-bit process activity. The script performs three steps: an AMSI bypass (patching AmsiUtils.amsiInitFailed in memory via Marshal::WriteInt32), an RC4 string decryption with the hard-coded key BWJFEesMEqRvjQbm, and victim fingerprinting via an MD5 hash of COMPUTERNAME+USERNAME.

Stage 3 — per-victim subdomain on oakenfjrod[.]ru

The MD5 fingerprint serves as a subdomain label for a unique retrieval URL of the form <MD5_HASH>.oakenfjrod[.]ru/cloude-<uuid&gt;. The response is piped straight into IEX and executed in memory in the same 32-bit PowerShell process — nothing is written to disk. The stage 3 script is around 17 MB (legitimate loaders are typically under 100 KB). That size is engineered to break automated deobfuscators, exhaust sandbox memory limits and tax analysts — with integer-encoded byte arrays, multi-layer string fragmentation, runtime variable mangling, stacked Base64/RC4 layers and a third XOR layer with the key AMSI_RESULT_NOT_DETECTED. The per-victim subdomain makes static IOC sharing at the URL level nearly worthless — blocking the domain (*.oakenfjrod[.]ru) is what is meaningful, not individual subdomains.

Stage 4 — reflective .NET infostealer

The terminal stage is a .NET infostealer embedded as raw bytes in the stage 3 script. It is never written to disk, never loaded as a module and spawns no child process — the entire execution runs in the existing powershell.exe address space via Assembly.Load(byte[]). This is functionally equivalent to execute-assembly (Cobalt Strike), Donut or SharpSploit, but without an unmanaged loader stub: no file artifact, no new process, no image-load event. The stealer beacons over HTTPS to 185.177.239.255:443 — per Cyderes, Russian infrastructure — and demonstrably (SensitiveFileRead telemetry) accesses the browser credential store.

The methodological punchline: no single technique is new. What is notable is the stacking — every classic detection surface is addressed in the design — and the targeting: a rapidly growing population of non-technical users with high motivation, low threat awareness and a search engine that, for a moment, places the attacker exactly where a legitimate download page should be.

Who is affected

Affected / riskNot affected / lower riskCondition
Windows workstations of first-time users who install Claude Code via a search engineUsers who install exclusively via the official, directly accessed Anthropic sourceInstallation source (search result vs. known official URL)
Machines without EDR / without proxy filtering / without a security team (sole traders, small teams, BYOD)Managed endpoints with EDR, mshta/PowerShell hardening and outbound DNS/proxy filteringEndpoint protection level
Windows with active mshta.exe and 32-bit PowerShellmacOS / Linux (the chain is Windows-specific: mshta.exe, SysWOW64 PowerShell)Operating system
Developer/platform laptops with stored browser credentials, Git/cloud/CI tokensDevices without credentials stored in the browser / with hardware-bound sessionsWhere credentials live (browser store vs. password manager/hardware token)

The point for my clients: this is not a product vulnerability you patch, but an attack on people and their workstations. The relevant question is not “which version do I have” but “who in my circle is installing an AI CLI tool for the first time right now — and does that person know what a real installation looks like.”

What it means for mid-market companies

For your development and platform teams, this campaign shifts the same quiet assumption my daily brief of 26 May already flagged: the developer laptop is no longer a side stage of corporate identity but a primary entry point. A single compromised laptop hands the attacker the browser credential store — and with it potentially Git access, cloud console sessions, CI/CD tokens and everything those identities reach. Hit a senior developer, and you are sitting close to the production paths.

What is special about this chain is that it bypasses exactly the protection layers smaller organizations rely on. File-based AV sees a valid MP3. AMSI is switched off after stage 2. The 32-bit PowerShell choice reduces EDR visibility. The final stealer leaves no file and no new process. Anyone basing endpoint security solely on signature-based AV has no resilient line here — the defense has to shift to behavioral telemetry (mshta network, unusual PowerShell starts, .NET assembly loads without a file) and to outbound network control (DNS/proxy filtering).

On the compliance side the finding is relevant as soon as an affected device has access to personal data or regulated systems. GDPR Art. 32 requires appropriate technical and organizational measures — which, given today's threat landscape, include awareness against social-engineering install lures and an endpoint-detection strategy beyond plain AV; under Art. 33/34 a confirmed credential leak can become reportable. NIS-2 Art. 21 addresses exactly this axis through the duty to risk management, awareness training and access control; Germany's BSI lists ClickFix-style social-engineering lures in its situation reports. I do not provide a legal assessment (I am not a lawyer); the concrete evaluation belongs with your DPO and your security officer.

What it means for technical development

Architecturally and culturally, the incident draws three lines.

First, “paste a command into a dialog” is never a legitimate installation step — and that belongs in team knowledge as a hard rule. No serious tool, Claude Code included, asks you to paste a command into the Windows Run dialog. ClickFix lives off beginners not having this baseline. The cheapest and most effective countermeasure is to make this one rule explicit — in onboarding, in internal docs, in every “how to install tool X” wiki entry with the official, directly linked source.

Second, detection has to move from the file artifact to behavior. This chain leaves no file after stage 1. Anyone looking only at file hashes and AV signatures sees nothing. The resilient signals are behavioral telemetry: mshta.exe with an outbound HTTPS connection (no legitimate purpose in most environments), 32-bit PowerShell from a COM-registered scheduled task, .NET assembly loads from PowerShell without a corresponding file (visible via ETW), and DNS queries to the stealer domain. It is a lesson in why modern endpoint defense keys on behavior, not artifacts.

Third, identity is the actual prize, not the machine. The target is the browser credential store, not the laptop. The structural consequence is to not leave credentials exploitable in the browser in the first place: hardware-bound sessions (passkeys/FIDO2), short-lived OAuth tokens with rotation, a password manager instead of browser storage, phishing-resistant MFA. Anyone with that layer reduces the damage of a compromised endpoint from “identity takeover” to “reimage a device.”

Concrete recommendation

Operational decision block

In this order. First, awareness as an immediate measure: add the rule “you never install Claude Code (or any other tool) by pasting a command into the Windows Run dialog” to onboarding and internal docs, with the official, directly linked source. Second, set up detection (managed endpoints):

 

# Behavioral signals (EDR/SIEM rules, in spirit):
# 1. mshta.exe with an outbound network connection  -> alert (MITRE T1218.005)
# 2. 32-bit PowerShell (SysWOW64\...\powershell.exe) from a COM-registered scheduled task -> alert (T1059.001, T1053)
# 3. .NET assembly load from PowerShell without a file on disk (ETW) -> alert (T1620)
# 4. DNS query to *.oakenfjrod[.]ru  -> block + alert (T1568)
# 5. Outbound connection to 185.177.239.255:443 -> block + alert

 

Third, network/DNS blocks: wildcard-block *.oakenfjrod[.]ru as well as the delivery domain download.version-516[.]com and the C2 IP 185.177.239.255 (noting that the operator rotates the infrastructure per Cyderes — a domain wildcard is more robust than single IOCs). Fourth, incident response on suspicion: treat the affected device as compromised (reimage, do not “clean”), assume all browser-stored passwords and sessions are leaked, revoke and reissue OAuth tokens (GitHub, cloud, CI/CD), check MFA factors. Fifth, harden medium term: disable browser credential storage in favor of a password manager, passkeys/FIDO2 for the critical access, short-lived tokens with rotation, and at least outbound DNS filtering on unmanaged devices.

If these steps cannot be run in-house, talk to me: I set up detection for developer workstations, harden identity and token layers, and support incident response on suspected credential leaks — platform operations, not advice on paper.

This article reflects my technical and strategic assessment. It does not replace legal advice or a data-protection impact assessment.

Conclusion

This campaign is technically no breakthrough — every single technique is known — and that is exactly what makes it instructive: it shows how an attacker, through clean stacking of known building blocks, builds a chain that slips past file-based AV, AMSI, DNS reputation and image-load monitoring, and aims it at the growing group of AI-tool beginners who have the least protection. For mid-market companies the lesson is twofold: first the cheap, effective awareness rule (no tool installs via a command in the Run dialog), second the shift of defense from the file artifact to behavior and identity. Anthropic is not the leak — the unprotected first-install moment is. Risk, soberly: high for unprotected Windows workstations of beginners, low for hardened, managed environments — and the awareness rule costs nothing.

Sources

About the author

[Translate to English:] Foto von Kai Ole Hartwig.

Kai Ole Hartwig

Freelance DevSecOps consultant · OnlyOle Consulting

Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.