Overview
- Security researchers confirmed an active campaign that uses sponsored search results to lead developers to a fake Claude Code installation page.
- The lookalike page shows a one-line command that swaps the real host for an attacker domain, while the domain’s /install.ps1 serves the genuine script to appear clean to scanners.
- Running the command pulls a heavily obfuscated PowerShell loader that injects a 4.6 KB helper into a Chromium browser to call IElevator2, a built-in elevation service, and recover keys that unlock saved passwords, cookies, and payment data.
- The malware maintains access with a Windows scheduled task that checks its control server every minute and it exits on systems in certain regions such as Russia, Iran, and other CIS countries.
- Experts urge immediate steps that include restricting and logging PowerShell use, filtering newly registered domains, rotating credentials across the enterprise, and downloading installers only from official vendor sites.