Fake Anthropic Sites Deliver Fileless Infostealer to Claude Code Users

A Cyderes investigation details an active credential‑stealing campaign that uses SEO poisoning and a spoofed Anthropic installer to trick users into running an MP3/HTA polyglot via mshta.exe. The attack performs in‑memory, fileless execution by launching a 32‑bit PowerShell to evade EDR, applies an AMSI bypass, downloads oversized scripts to crash sandboxes, and executes a reflective .NET infostealer to harvest browser credentials and send them to a C2 (reported to route to Russian infrastructure); defenders are advised to block *.oakenfjrod.ru and monitor mshta.exe outbound connections.