Threat Actors Exploit Fake Claude Code Downloads to Deploy Infostealer Malware

Threat actors are abusing interest in Anthropic’s Claude Code tools by setting up fake download pages that ultimately drop a lightweight infostealer via mshta.exe.

The campaign shows how a single living‑off‑the‑land binary (LOLBIN) can power an effective data‑theft chain without any complex malware framework.

Attackers register or compromise domains that appear to be legitimate Claude Code download portals and seed them via search results, ads, and social media posts targeting developers and power users.

In this incident, the domain it[.]com was used as the delivery point, hosting a fake installer or download link that claims to provide the Claude Code desktop application.

Once the victim clicks the “download” button, they receive either a script‑based loader or a shortcut file that quietly hands execution over to built‑in Windows binaries instead of a real installer.

The approach mirrors previous campaigns abusing fake AI tools and installers, where the branding of ChatGPT or Claude is enough to convince users to run unsigned code.

Because the downloaded files often appear small, script‑based, and without obvious payloads, they can bypass a quick manual check by a less cautious user.

MSHTA as the Delivery Workhorse

The key enabler in this attack is mshta.exe, Microsoft’s HTML Application Host, a long‑abused LOLBin that can execute HTA files and remote scripts with the same trust as native Windows components.

This gives the operator a simple, script‑friendly way to pull down the infostealer without dropping a traditional executable at the first stage.

Claude Code Downloads.
Claude Code Downloads.

The HTA then decodes and runs additional scripts or shell commands that gather credentials, browser data, and system information before exfiltrating them to attacker‑controlled infrastructure.

After the victim launches the fake installer, a command spawns mshta.exe with a remote URL parameter, instructing it to fetch and execute an HTA payload directly from it[.]com.

All of this can happen in a single user session where the only visible artifact is a brief installer window or nothing at all, depending on how the lure is designed.

Why Simple LOLBins Still Matter

This campaign reinforces that defenders cannot afford to treat mshta.exe alerts as background noise or low‑priority events.

Security teams repeatedly find that a single suspicious mshta.exe process especially one reaching out to an external domain can be the first and only clue in a multi‑stage infostealer chain.

Even when endpoint controls block the final payload, the initial mshta.exe invocation provides valuable indicators of compromise for wider hunting and containment.

Not every high‑value detection relies on machine‑learning models or deep sandboxing; carefully watching a handful of LOLBins such as mshta.exe, powershell.exe, and wscript.exe often surfaces real attacker behavior early.

For defenders, tuning detections around remote HTA execution, unexpected parent processes for mshta.exe, and outbound connections to newly seen domains like it[.]com can deliver strong, low‑noise signals for ongoing threat campaigns.

Related Articles

Back to top button