CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Obfuscated PowerShell infostealer deployed via fake Claude Code pages to harvest browser data from developer workstations

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A previously undocumented PowerShell-based information stealer was distributed through fraudulent Claude Code installation pages, targeting developer workstations to harvest cookies, passwords, and payment data from Chromium-family browsers. Victims were redirected via sponsored search results for "install claude code" to spoofed pages that delivered an obfuscated PowerShell loader. The loader reflectively injected a native helper into live browser processes to extract App-Bound Encryption keys via the IElevator2 COM interface. The campaign operated from operator-controlled domains registered in April 2026, with payloads designed to evade behavioral detection by splitting malicious functionality between PowerShell and native code. Persistence was established via scheduled tasks polling a C2 endpoint with regional exclusions.

Timeline

  1. 11.05.2026 17:00 1 articles · 2h ago

    Undocumented PowerShell infostealer delivered via fake Claude Code installers to harvest browser data

    Between late April and early May 2026, a previously undocumented PowerShell-based information stealer was distributed via fake Claude Code installation pages. The campaign redirected victims from sponsored search results to spoofed pages delivering an obfuscated PowerShell loader designed to harvest cookies, passwords, and payment data from Chromium-family browsers. The loader reflectively injected a native helper into live browser processes to extract App-Bound Encryption keys via the IElevator2 COM interface, a technique resembling Glove Stealer (2024). Persistence was established via scheduled tasks polling a C2 endpoint with regional exclusions, and the malware’s split architecture was engineered to evade behavioral detection by confining visible activity to the PowerShell layer.

    Show sources
    Open in new tab

Information Snippets

  • The campaign distributed a previously undocumented information stealer through fake Claude Code installation pages, hijacking Chromium browsers to bypass App-Bound Encryption and exfiltrate cookies, passwords, and payment data from developer workstations.

    First reported: 11.05.2026 17:00
    1 source, 1 article
    Show sources

  • Victims were redirected from sponsored search results for "install claude code" to spoofed pages that delivered an obfuscated PowerShell loader via a maliciously altered one-line installation command.

    First reported: 11.05.2026 17:00
    1 source, 1 article
    Show sources

  • The PowerShell loader is approximately 600 KB in size and was compiled within 60 days of Chrome 144’s January 2026 release, indicating active tracking of upstream Chromium changes.

    First reported: 11.05.2026 17:00
    1 source, 1 article
    Show sources

  • The loader reflectively injects a 4608-byte native helper into live browser processes to invoke the IElevator2 COM interface and recover App-Bound Encryption keys, a technique previously observed in Glove Stealer (2024).

    First reported: 11.05.2026 17:00
    1 source, 1 article
    Show sources

  • The native helper exposes no network, file, or cryptographic imports, confining detection-visible activity to the PowerShell layer to evade behavioral rule sets inspecting native binaries in isolation.

    First reported: 11.05.2026 17:00
    1 source, 1 article
    Show sources

  • The loader establishes persistence via a Windows scheduled task polling a C2 endpoint every minute, with early exit if the host’s region matches an exclusion list including Iran, Russia, and CIS members.

    First reported: 11.05.2026 17:00
    1 source, 1 article
    Show sources

  • The loader contains a transcribed error in the Edge IElevator2 IID (Data3 field) that causes the initial call to fail silently, triggering a fallback to the legacy IElevator interface, which doubles as a high-confidence detection signature.

    First reported: 11.05.2026 17:00
    1 source, 1 article
    Show sources

  • The campaign’s operator-controlled domains were registered within a six-day window in April 2026.

    First reported: 11.05.2026 17:00
    1 source, 1 article
    Show sources