Fake Claude Code Installer Targets Developers With Browser Credential Stealer
ID: 683c7f89-42c1-58b1-abac-77ca40e1d479
STIX ID: report--683c7f89-42c1-58b1-abac-77ca40e1d479
Feed Name: HackRead
Ontinue reports a campaign that lures developers to lookalike installer pages for an AI tool ('Claude Code'), which deliver a heavily obfuscated PowerShell loader. The loader locates Chromium-family browsers, recovers ABE-protected encryption keys by injecting a native helper (payload_x64.bin) and abusing browser Elevation Service COM interfaces, decrypts browser-stored cookies, credentials and payment data, packages them in-memory (secure_prefs.zip) and exfiltrates to mt7263.com while maintaining persistence via a per-minute scheduled PowerShell task.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.