Threat Actors Use Fake Claude Code Download Pages to Deploy Fileless Infostealer

Threat actors are using fake Claude Code download pages to deploy a fileless infostealer via mshta.exe — developers should be awareAttackers create convincing fake download portals for Claude Code, using hijacked Google Ads to rank them highly in search results. When users click the download button, the site executes mshta.exe to run a remote HTA payload in memory, avoiding disk writes. The infostealer targets browser credentials, session tokens, and sensitive data, exfiltrating them to attacker-controlled infrastructure. The technique leverages mshta.exe, a trusted Windows binary, and is tracked under MITRE ATT&CK T1218.005.