Fileless Infostealer Attacks Target Claude Code Users Through Counterfeit Anthropic Platforms
- May 31
- 3 min read
Key Findings
Active credential theft campaign targeting Claude Code users exploiting rapid AI tool adoption
Attack chain begins with SEO poisoning directing victims to spoofed Anthropic installation pages
Fileless infostealer uses MP3/HTA polyglot payload and in-memory execution to evade detection
Command and control infrastructure routes through Russian IP infrastructure at 185.177.239.255
Anthropic's systems have not been compromised; attack targets individual users lacking enterprise protections
Background
Cyderes security research has uncovered a sophisticated campaign exploiting the growing popularity of Anthropic's Claude Code tool. The threat actors are specifically targeting first-time users who are less likely to recognize malicious websites, including small business owners, entrepreneurs, and educators. The campaign demonstrates how rapidly emerging AI tools become attractive targets for credential theft operations before users develop security awareness around them.
The ClickFix Attack Chain
The attack begins when victims search for Claude Code installation instructions. SEO poisoning techniques direct them to fraudulent Anthropic websites that appear legitimate. Users are then instructed to open the Windows Run dialog using Win+R and paste a malicious mshta.exe command. This social engineering approach, known as ClickFix, tricks users into executing the command themselves, bypassing many automated security systems that struggle to analyze manual user actions.
Sophisticated Payload Delivery
The mshta.exe command retrieves a 6.7 MB file from download.version-516.com/claude that is engineered to fool security inspection tools. The file is a MP3/HTA polyglot, meaning it contains valid audio metadata and cover art that allows it to pass as a legitimate audio file while simultaneously hiding an embedded HTA script block. When executed by mshta.exe, the audio wrapper is ignored and the hidden script executes instead.
Evasion Tactics and In-Memory Execution
Once on the victim's system, the malicious script creates a hidden task that specifically launches 32-bit PowerShell rather than the standard 64-bit version. This is a deliberate targeting of a detection gap, as most modern EDR systems focus their monitoring on 64-bit PowerShell processes. The loader then performs an AMSI bypass, effectively disabling Windows' built-in script scanner to prevent detection of malicious commands.
The attackers further obfuscate their payload by mixing the victim's computer name and username into a unique scrambled code using a hardcoded key. This prevents security researchers from easily replicating or analyzing the attack. The next stage downloads a massive 17 MB script intentionally designed to crash security sandbox environments that attempt to analyze it, preventing automated threat detection.
Fileless Infostealer Delivery
The entire attack operates in temporary memory rather than writing files to disk, making it nearly invisible to traditional file-based detection systems. The Stage 3 script contains a reflective .NET infostealer that abuses the .NET Framework's Assembly.Load feature to execute code directly within the active PowerShell process address space. This keeps the attack confined to a single process with no suspicious file creation or spawning of new processes.
Data Exfiltration and Attribution
Once loaded, the infostealer accesses the browser credential store to harvest saved usernames, passwords, and other authentication data. The stolen information is transmitted to a command and control server at 185.177.239.255:443. Cyderes researchers confirmed this IP address infrastructure is located in Russia, suggesting a Russian-based threat group operating the campaign.
Recommendations and Indicators
Cyderes confirmed that Anthropic's infrastructure has not been compromised; the attack targets individual users through social engineering and malicious websites. Organizations can protect against this campaign by blocking wildcard DNS queries to *.oakenfjrod.ru and monitoring outbound network connections originating from mshta.exe processes. Users should also be educated to avoid copy-pasting commands from suspicious websites and to verify legitimacy through official Anthropic channels.
Sources
https://hackread.com/fake-anthropic-sites-fileless-infostealer-claude-code-users/
https://x.com/HackRead/status/2060773810526179518
https://www.reddit.com/r/InfoSecNews/comments/1ts5qj6/fake_anthropic_sites_deliver_fileless_infostealer
https://www.socdefenders.ai/item/10368c4a-f232-45fd-97ff-6237304ec17b

Comments