Ontinue's Cyber Defense Center disclosed on 11 May 2026 a malvertising campaign that uses fake Claude Code installation pages to deliver a previously undocumented PowerShell information stealer targeting developer workstations. Victims reach three operator-controlled lookalike domains, registered within a six-day window in April 2026, via sponsored search results for "install claude code," where an altered one-line install command points to an attacker host while /install.ps1 returns the legitimate installer to evade URL scanners. The pasted command fetches a roughly 600 KB obfuscated PowerShell loader that reflectively injects a 4,608-byte native helper into Chromium-family browsers (Chrome, Edge, Brave, Vivaldi, Arc, Perplexity Comet) and invokes the IElevator2 COM interface introduced in Chrome 144 to recover App-Bound Encryption keys and exfiltrate cookies, passwords and payment data. Persistence is established through a scheduled task polling C2 every minute, with early exit on hosts geolocated to Iran, Russia and other CIS countries. Ontinue recommends enforcing PowerShell Constrained Language Mode, enabling script block logging, and filtering newly registered domains.
// Alert
Claude threat report
// ClaudeMEDIUM
// Get alerts for Claude