Fake Claude Code Installer on Google Sites Steals Credentials

## Executive Summary: The report describes a ClickFix-style campaign abusing trusted Google Sites to host fake installers for AI developer tools (e.g., Claude Code/Codex) that instruct victims to run an mshta command. That command retrieves obfuscated PowerShell which bypasses AMSI and certificate checks, decodes steganographically concealed shellcode from images, injects and executes it in-memory inside powershell.exe, and exfiltrates browser credentials, email data, and cryptocurrency wallet information.