Skip to main content
Emerging ThreatsMalware & Ransomware

PowerShell Stealer Targets Devs via Fake Claude Code Pages

Developers' workstation with laptop, code editor, notes, and coffee cups in a bright office setting.

"Developers hold the keys to an organization's most sensitive assets - intellectual property, cloud infrastructure, CI/CD pipelines," Vineeta Sangaraju, AI tesearch engineer at Black Duck, said.

Fake Claude Code pages and the malicious install command

Ontinue's Cyber Defense Center detailed on 11 May a targeted campaign that used lookalike Claude Code installation pages to push a previously undocumented information stealer. Victims arrived at the malicious pages after clicking sponsored search results for "install claude code." The lure mimicked legitimate Claude Code documentation but rendered an altered one-line installation command directly in HTML, swapping the canonical Anthropic host for an attacker-controlled domain.

Crucially, the domain's /install.ps1 returned a verbatim copy of the genuine installer. That design made automated URL scanners and basic file-inspection tools observe clean PowerShell content while the visible command on the webpage redirected victims to a malicious payload.

Obfuscated PowerShell loader and native helper targeting Chromium

When the pasted command executed, it fetched a heavily obfuscated PowerShell loader of approximately 600 KB. The loader enumerated Chromium-family browsers — explicitly including Chrome, Edge, Brave, Vivaldi, Perplexity Comet and Arc — and reflectively injected a 4,608-byte native helper into a live browser process.

Ontinue reported the helper's sole function is to invoke the browser's IElevator2 COM interface, introduced in Chrome 144, to recover the App-Bound Encryption key. The campaign thus seeks to bypass App-Bound Encryption protections and exfiltrate cookies, passwords and payment data from developer workstations.

Ontinue also observed that the helper exposes no network, file or cryptographic imports; instead, all detection-visible activity — SQLite access, archive construction and HTTPS exfiltration — was confined to the PowerShell layer. That split appears engineered to evade behavioral rule sets that inspect native binaries in isolation.

Persistence, regional exclusions, and a high-confidence detection signature

Compile-date evidence in the samples places construction within 60 days of the Chrome 144 release in January 2026, indicating the developers tracked upstream Chromium changes. The loader establishes persistence via a Windows scheduled task that polls the operator's command-and-control every minute.

Ontinue noted a transcription error in the embedded Edge IElevator2 IID: two nibbles were transposed in the Data3 field. The malformed identifier causes the initial COM call to fail silently and triggers a fallback to the legacy IElevator interface. Ontinue highlighted that the malformed identifier doubles as a high-confidence detection signature.

The loader also implements regional exclusions: it exits early if the host's region matches an exclusion list covering Iran, Russia and other Commonwealth of Independent States (CIS) members, among others.

What this means for developer workstations, security teams, and defenders

  • Developer workstations: As Vineeta Sangaraju warned, compromised developer hosts can pivot into source code repositories, cloud environments and CI/CD pipelines — escalating a local compromise into supply-chain and infrastructure exposure.
  • Security teams and SOC operators: The payload's split architecture — a tiny native helper with no observable imports plus heavy activity in PowerShell — means detection rules that focus on native binaries alone will miss the malicious behavior. The malformed IElevator2 IID provides a concrete, high-confidence signature defenders can hunt for.
  • Defenders and platform owners: The campaign's reliance on lookalike documentation pages and sponsored search results underlines the need to monitor newly registered domains and scrutinize installation instructions rendered in HTML rather than only the fetched artifacts.

Practical mitigations recommended by Ontinue

Ontinue urged specific defensive actions: enforce PowerShell Constrained Language Mode, enable script block logging, and apply web content filtering against newly registered domains. These measures target the vehicle (obfuscated PowerShell) and the initial web-based lure that redirected installers off the legitimate Anthropic host.

The campaign's design — a near-verbatim installer hosted at an attacker domain, a heavy PowerShell layer, a tiny native helper that recovers App-Bound Encryption keys, and minute-level C2 polling — presents a clear technical profile defenders can use to prioritize hunting and controls.

As Ontinue's analysis shows, the adversary focused on a narrow, high-value target set: developer workstations and Chromium-family browsers where recovering App-Bound Encryption keys unlocks cookies, passwords and payment data. The combination of a polished lure and split-layer execution raises the bar for detection but also leaves distinctive artifacts — the malformed IElevator2 IID and the scheduled task pattern — that security teams can and should hunt for.

Original story