Cybercriminals Impersonate Claude Code to Deploy Fileless .NET Infostealer

This report details an active SEO-poisoning campaign that lures new AI tool users to fake Claude Code installation pages; victims are socially engineered to paste a command that uses mshta to fetch a 6.7 MB MP3/HTA polyglot which executes hidden HTA script, creates a scheduled task to launch 32-bit PowerShell, disables AMSI, decrypts payloads, and downloads a large obfuscated in-memory PowerShell infostealer. Provided IOCs include download.version-516.com, oakenfjrod.ru (wildcard), and 185.177.239.255.