Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer

Executive summary: A threat actor campaign is using SEO poisoning to promote spoofed Anthropic/Claude Code install pages that trick primarily non-technical users into executing a ClickFix MSHTA command; the attack chain uses an MP3/HTA polyglot, 32-bit PowerShell with AMSI bypass and RC4 decryption, and a reflective .NET infostealer that beacons to 185.177.239.255 and *.oakenfjrod.ru for credential exfiltration. The report provides IoCs (domains, IP, per-victim C2 URL pattern), notes the campaign’s fileless design to evade EDR/AMSI/sandboxing, and recommends blocking mshta.exe outbound connections and wildcard DNS blocking for oakenfjrod.ru.