Fake Claude Code Installers Used to Deploy Sophisticated Infostealer
An active infostealer campaign is targeting software developers by using fake Claude Code installers to harvest sensitive browser data through the exploitation of Chrome's App-Bound Encryption.

Security researchers at Ontinue have identified an active infostealer campaign targeting software developers through deceptive search engine advertisements. The attackers are leveraging fake Claude Code installation pages to trick users into executing malicious PowerShell commands. Once initiated, the attack chain utilizes a native helper utility to exploit Chrome’s App-Bound Encryption, specifically targeting the IElevator2 COM interface to bypass standard security protections SecurityWeek.
The primary objective of this malware is the theft of sensitive browser data. By successfully interacting with the IElevator2 interface, the malicious payload can decrypt and extract saved passwords, session cookies, and payment information stored within Chromium-based browsers, including Google Chrome, Microsoft Edge, and Brave. Once harvested, this data is exfiltrated to attacker-controlled infrastructure SecurityWeek.
According to the report from Ontinue, the malware does not align with any previously documented threat families. Security analysts have noted that the code is well-maintained, suggesting a sophisticated effort to sustain the campaign. The use of sponsored search results to distribute the fake installer allows the attackers to reach a broad audience of developers actively seeking productivity tools SecurityWeek.
This campaign highlights a growing trend of threat actors abusing the trust developers place in search engine results to deliver sophisticated infostealers. By masquerading as legitimate software installers, attackers can bypass initial user skepticism and gain execution privileges on developer workstations, which often contain high-value credentials and access tokens for source code repositories and cloud environments.
Organizations are advised to monitor for suspicious PowerShell activity and to verify the authenticity of software installers before execution. Developers should be particularly cautious when clicking on sponsored links for development tools and should ensure that security software is configured to detect unauthorized attempts to access browser-stored credentials via COM interfaces SecurityWeek.
The emergence of this campaign underscores the persistent risk posed by supply chain and distribution-based attacks. As attackers continue to refine their methods for bypassing browser-level encryption, the security of local development environments remains a critical concern for both individual developers and enterprise security teams. Future monitoring should focus on identifying new infrastructure associated with this campaign and tracking potential shifts in the malware's delivery mechanisms.
Ontinue's analysis reveals the stealer uses a 4608-byte native helper injected into browser processes to invoke the IElevator2 COM interface (introduced in Chrome 144) and recover the App-Bound Encryption key, a technique first seen in Glove Stealer. The PowerShell loader enumerates Chrome, Edge, Brave, Vivaldi, Perplexity Comet, and Arc, and establishes persistence via a scheduled task polling C2 every minute. A transcription error in the Edge IElevator2 IID creates a high-confidence detection signature, and the malware excludes CIS countries from infection. Ontinue recommends enforcing PowerShell Constrained Language Mode and script block logging to defend against this campaign.