Fake Claude Code Page Pushes PowerShell Stealer at Devs

Ontinue's Cyber Defense Center reported a campaign that used lookalike Claude Code installation pages and sponsored search ads to trick developers into running a PowerShell installer which fetched a large obfuscated loader; the loader enumerated Chromium-family browsers and reflectively injected a native helper to exploit a browser COM interface (IElevator2/legacy fallback) to recover App-Bound Encryption keys and exfiltrate cookies, credentials and payment data, persisting via a scheduled task while excluding certain regions.