Fake Claude Code Installer Spreads Fileless .NET Infostealer

Hackers are abusing search-engine results for “Claude Code install” with a spoofed installer site that instructs victims to run an MSHTA command which fetches an MP3/HTA polyglot; the embedded HTA launches layered PowerShell loaders that perform AMSI bypass, in-memory decryption, and reflective .NET loading of a fileless infostealer that communicates with per-victim wildcard C2 infrastructure (examples: download.version-516.com, oakenfjrod.ru, 185.177.239.255) to harvest browser credentials and exfiltrate data.