Fake Claude Code Installer Spreads Fileless .NET Infostealer via SEO Poisoning

Cybercriminals are exploiting the popularity of AI coding tools by creating fake Claude Code installation pages that appear in search results through SEO poisoning. Victims are tricked into running malicious commands disguised as installation steps, leading to the deployment of a sophisticated fileless .NET infostealer.

The attack uses a multi-stage infection chain that bypasses traditional security tools, AMSI scanning, and endpoint detection systems. Once executed, the malware runs entirely in memory, steals browser credentials and sensitive data, and communicates with attacker-controlled infrastructure for data exfiltration.

Researchers warn that the campaign specifically targets new developers and non-technical users searching for Claude Code installation guides. Users should only download software from official sources and avoid websites that request running commands through the Windows Run dialog as part of the installation process.

NPAV Endpoint Security, help detect fileless malware, block malicious scripts, and protect users from credential-stealing attacks delivered through fake software downloads.