{"id":13370,"date":"2026-06-04T10:03:41","date_gmt":"2026-06-04T10:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/04\/fake-claude-code-installer-via-google-sites-deliver-credential-stealing-malware\/"},"modified":"2026-06-04T10:03:41","modified_gmt":"2026-06-04T10:03:41","slug":"fake-claude-code-installer-via-google-sites-deliver-credential-stealing-malware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/04\/fake-claude-code-installer-via-google-sites-deliver-credential-stealing-malware\/","title":{"rendered":"Fake Claude Code Installer Via Google Sites Deliver Credential-Stealing Malware"},"content":{"rendered":"<p>    Fake Claude Code Installer Via Google Sites Deliver Credential-Stealing Malware<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Cybercriminals have found a new and clever way to exploit the growing popularity of AI developer tools. <\/p>\n<p class=\"wp-block-paragraph\">A recently identified campaign uses fake pages mimicking Claude Code and OpenAI Codex, hosted on trusted Google Sites infrastructure, to trick users into running commands that quietly steal their credentials and other sensitive personal data from their devices.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/93cd0dc0-927a-4d90-b9b4-0b47e08dcae9\/Fake-Claude-Code-Installer-Via-Google-Sites-Deliver-Credential-Stealing-Malware_1.pdf?AWSAccessKeyId=ASIA2F3EMEYETXMN46HW&amp;Signature=2cdiaIrFTL%2FxMgycAUpO%2FX3XOZg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCY1FtdyR5b3E1hbRD3o38zL6OmB6BtxoOoTUMD92ElngIgYTU5laJ%2F%2BNieTK8XWohTLqIG%2FFECtfQPLdOJVdiHpX4q8wQIUBABGgw2OTk3NTMzMDk3MDUiDPuVRZqDlbM4LEpbaCrQBMVw28JoOmJp%2B5EV6BHQCHTyOE1rj028hChI%2BIOquGCwQjR50INO6BALFSaWdTJl%2BIhHGNLliMnT2F6l%2BedeHZMMwkYym5fNU%2F5GOd0oq8nfw5MRxqdd5F5Fkxs%2BTgf5CJhuq76JAqAu729Hpc0lR1me2OlSJ0nPzKRyhcQ6o1MKuTG3egBHE6mbuMRhWY%2Fi7qVf3rZXd1nerkOOIklol2EkkiZ3Ieg0oRq6nhE%2BXDOfpvY8FAn0fee%2BzIcUepG9sKJhz%2FT7xN2iQKnrTdfgPFC5toV4imQqACBx9EQdVLuX%2BYfIc0KUDaTouwrYtVwCTLi6BVU6D6v6oQfYcgHsFYQd7LpdE8BROiGmdJ6rnoNV2yEqKj6C4T9FxBfTIs3fJm7tK7Vf9sVMThZZ8jPi4KsedTfPMkIsCAfDC0YOBMWkVAaPbUvtqAjNoj%2FF3jGwyY0zYqwnqhF0kGC9rTH77vj7oUkGRUTzR0Pf63tqw6dO2yX7yvBMy5xNRrlv38pfDPZEhdGHR3Ez0xIGqqdlGkkuRi7LphhgLg9S30XKqyiMbHLQpSmUaCuwSA35WZfsPvckaIAyGzMRajAhURJM8EpURUeSLbSeOqiORtzo3WFSrPZqPgys06aWXRczaKk%2BStKnnv6dvFv20BWXFZdkpg5Hza%2FRA4bvWEiZXPN0dOz1Tyf41qmCUbh%2FfG%2FN%2FZz25QQsmu8ZKylpQRiqmtgjYzFScc0CgQMA2oDEHSqrKnhCpFDn%2BHahLEoPF%2BU5KyoPHAc2y1vwPHO6xlJtMRePdcsw87qE0QY6mAGrkm9dF21X%2BcGL9mUlTiW79U3D3LyICJN3G7aaSHlZnXfhw59gwA2Wkn%2FePmwoQmBBn4avWu89aTsQR9DZK0WD4xyFL5wLrDUaHcqvQTl6WXu%2FaBnLJisDJynjZAXA8j%2BsaPVakU0LKXEAIG3ESd9q2KCInwEGpFQGL7WWD4r5EKDVffMcMAuHO2xtRdYu%2FUtMsFMu5Ll9MA%3D%3D&amp;Expires=1780558662\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The attack follows a technique known as ClickFix, where victims are shown what looks like a legitimate setup page and told to execute a short command. <\/p>\n<p class=\"wp-block-paragraph\">There is no file downloaded in the traditional sense. Instead, the entire malicious operation runs silently in memory, making it much harder for standard security tools to catch it in the act.<a href=\"https:\/\/www.rapid7.com\/blog\/post\/ve-clickfix-phishing-campaign-fake-claude-installer\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/93cd0dc0-927a-4d90-b9b4-0b47e08dcae9\/Fake-Claude-Code-Installer-Via-Google-Sites-Deliver-Credential-Stealing-Malware_1.pdf?AWSAccessKeyId=ASIA2F3EMEYETXMN46HW&amp;Signature=2cdiaIrFTL%2FxMgycAUpO%2FX3XOZg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCY1FtdyR5b3E1hbRD3o38zL6OmB6BtxoOoTUMD92ElngIgYTU5laJ%2F%2BNieTK8XWohTLqIG%2FFECtfQPLdOJVdiHpX4q8wQIUBABGgw2OTk3NTMzMDk3MDUiDPuVRZqDlbM4LEpbaCrQBMVw28JoOmJp%2B5EV6BHQCHTyOE1rj028hChI%2BIOquGCwQjR50INO6BALFSaWdTJl%2BIhHGNLliMnT2F6l%2BedeHZMMwkYym5fNU%2F5GOd0oq8nfw5MRxqdd5F5Fkxs%2BTgf5CJhuq76JAqAu729Hpc0lR1me2OlSJ0nPzKRyhcQ6o1MKuTG3egBHE6mbuMRhWY%2Fi7qVf3rZXd1nerkOOIklol2EkkiZ3Ieg0oRq6nhE%2BXDOfpvY8FAn0fee%2BzIcUepG9sKJhz%2FT7xN2iQKnrTdfgPFC5toV4imQqACBx9EQdVLuX%2BYfIc0KUDaTouwrYtVwCTLi6BVU6D6v6oQfYcgHsFYQd7LpdE8BROiGmdJ6rnoNV2yEqKj6C4T9FxBfTIs3fJm7tK7Vf9sVMThZZ8jPi4KsedTfPMkIsCAfDC0YOBMWkVAaPbUvtqAjNoj%2FF3jGwyY0zYqwnqhF0kGC9rTH77vj7oUkGRUTzR0Pf63tqw6dO2yX7yvBMy5xNRrlv38pfDPZEhdGHR3Ez0xIGqqdlGkkuRi7LphhgLg9S30XKqyiMbHLQpSmUaCuwSA35WZfsPvckaIAyGzMRajAhURJM8EpURUeSLbSeOqiORtzo3WFSrPZqPgys06aWXRczaKk%2BStKnnv6dvFv20BWXFZdkpg5Hza%2FRA4bvWEiZXPN0dOz1Tyf41qmCUbh%2FfG%2FN%2FZz25QQsmu8ZKylpQRiqmtgjYzFScc0CgQMA2oDEHSqrKnhCpFDn%2BHahLEoPF%2BU5KyoPHAc2y1vwPHO6xlJtMRePdcsw87qE0QY6mAGrkm9dF21X%2BcGL9mUlTiW79U3D3LyICJN3G7aaSHlZnXfhw59gwA2Wkn%2FePmwoQmBBn4avWu89aTsQR9DZK0WD4xyFL5wLrDUaHcqvQTl6WXu%2FaBnLJisDJynjZAXA8j%2BsaPVakU0LKXEAIG3ESd9q2KCInwEGpFQGL7WWD4r5EKDVffMcMAuHO2xtRdYu%2FUtMsFMu5Ll9MA%3D%3D&amp;Expires=1780558662\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/app.any.run\/tasks\/698e0bd5-01b6-40fe-814c-5c0885cea645\/?utm_source=csn&amp;utm_medium=news&amp;utm_campaign=csn_claude_codex_clickfix&amp;utm_term=040626&amp;utm_content=csnnews\" id=\"https:\/\/app.any.run\/tasks\/698e0bd5-01b6-40fe-814c-5c0885cea645\/?utm_source=csn&amp;utm_medium=news&amp;utm_campaign=csn_claude_codex_clickfix&amp;utm_term=040626&amp;utm_content=csnnews\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Analysts at ANY.RUN said in a report<\/a> shared with\u00a0Cyber Security News (CSN)\u00a0that they identified this active ClickFix campaign impersonating popular AI tools, including both Codex and Claude. <\/p>\n<p class=\"wp-block-paragraph\">The researchers noted that because network activity appears as normal PowerShell traffic, the attack can significantly reduce visibility during the earliest stages of a system compromise.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/93cd0dc0-927a-4d90-b9b4-0b47e08dcae9\/Fake-Claude-Code-Installer-Via-Google-Sites-Deliver-Credential-Stealing-Malware_1.pdf?AWSAccessKeyId=ASIA2F3EMEYETXMN46HW&amp;Signature=2cdiaIrFTL%2FxMgycAUpO%2FX3XOZg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCY1FtdyR5b3E1hbRD3o38zL6OmB6BtxoOoTUMD92ElngIgYTU5laJ%2F%2BNieTK8XWohTLqIG%2FFECtfQPLdOJVdiHpX4q8wQIUBABGgw2OTk3NTMzMDk3MDUiDPuVRZqDlbM4LEpbaCrQBMVw28JoOmJp%2B5EV6BHQCHTyOE1rj028hChI%2BIOquGCwQjR50INO6BALFSaWdTJl%2BIhHGNLliMnT2F6l%2BedeHZMMwkYym5fNU%2F5GOd0oq8nfw5MRxqdd5F5Fkxs%2BTgf5CJhuq76JAqAu729Hpc0lR1me2OlSJ0nPzKRyhcQ6o1MKuTG3egBHE6mbuMRhWY%2Fi7qVf3rZXd1nerkOOIklol2EkkiZ3Ieg0oRq6nhE%2BXDOfpvY8FAn0fee%2BzIcUepG9sKJhz%2FT7xN2iQKnrTdfgPFC5toV4imQqACBx9EQdVLuX%2BYfIc0KUDaTouwrYtVwCTLi6BVU6D6v6oQfYcgHsFYQd7LpdE8BROiGmdJ6rnoNV2yEqKj6C4T9FxBfTIs3fJm7tK7Vf9sVMThZZ8jPi4KsedTfPMkIsCAfDC0YOBMWkVAaPbUvtqAjNoj%2FF3jGwyY0zYqwnqhF0kGC9rTH77vj7oUkGRUTzR0Pf63tqw6dO2yX7yvBMy5xNRrlv38pfDPZEhdGHR3Ez0xIGqqdlGkkuRi7LphhgLg9S30XKqyiMbHLQpSmUaCuwSA35WZfsPvckaIAyGzMRajAhURJM8EpURUeSLbSeOqiORtzo3WFSrPZqPgys06aWXRczaKk%2BStKnnv6dvFv20BWXFZdkpg5Hza%2FRA4bvWEiZXPN0dOz1Tyf41qmCUbh%2FfG%2FN%2FZz25QQsmu8ZKylpQRiqmtgjYzFScc0CgQMA2oDEHSqrKnhCpFDn%2BHahLEoPF%2BU5KyoPHAc2y1vwPHO6xlJtMRePdcsw87qE0QY6mAGrkm9dF21X%2BcGL9mUlTiW79U3D3LyICJN3G7aaSHlZnXfhw59gwA2Wkn%2FePmwoQmBBn4avWu89aTsQR9DZK0WD4xyFL5wLrDUaHcqvQTl6WXu%2FaBnLJisDJynjZAXA8j%2BsaPVakU0LKXEAIG3ESd9q2KCInwEGpFQGL7WWD4r5EKDVffMcMAuHO2xtRdYu%2FUtMsFMu5Ll9MA%3D%3D&amp;Expires=1780558662\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">What makes this campaign stand out is how well it blends in. Google Sites pages carry the trust of a legitimate Google domain, and most users would not think twice before following instructions on such a page. <\/p>\n<p class=\"wp-block-paragraph\">\n<figure class=\"wp-block-embed is-type-rich is-provider-x wp-block-embed-x\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-x\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f6a8.png?ssl=1\" alt=\"\ud83d\udea8\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\"> \ud835\uddd9\ud835\uddee\ud835\uddf8\ud835\uddf2 \ud835\uddd6\ud835\uddf9\ud835\uddee\ud835\ude02\ud835\uddf1\ud835\uddf2 &amp; \ud835\uddd6\ud835\uddfc\ud835\uddf1\ud835\uddf2\ud835\ude05 \ud835\uddd7\ud835\uddf2\ud835\uddf9\ud835\uddf6\ud835\ude03\ud835\uddf2\ud835\uddff \ud835\udddc\ud835\uddfb-\ud835\udde0\ud835\uddf2\ud835\uddfa\ud835\uddfc\ud835\uddff\ud835\ude06 \ud835\udde6\ud835\ude01\ud835\uddf2\ud835\uddee\ud835\uddf9\ud835\uddf2\ud835\uddff: \ud835\uddd6\ud835\uddf9\ud835\uddf6\ud835\uddf0\ud835\uddf8\ud835\uddd9\ud835\uddf6\ud835\ude05 \ud835\ude03\ud835\uddf6\ud835\uddee \ud835\uddda\ud835\uddfc\ud835\uddfc\ud835\uddf4\ud835\uddf9\ud835\uddf2 \ud835\udde6\ud835\uddf6\ud835\ude01\ud835\uddf2\ud835\ude00<br \/><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/26a0.png?ssl=1\" alt=\"\u26a0\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\"> We\u2019re tracking a <a href=\"https:\/\/x.com\/hashtag\/ClickFix?src=hash&amp;ref_src=twsrc%5Etfw\">#ClickFix<\/a> campaign that mimics popular AI tools, including Codex and Claude, and abuses trusted Google Sites infrastructure\u2026 <a href=\"https:\/\/t.co\/BeiU03Stua\">pic.twitter.com\/BeiU03Stua<\/a><\/p>\n<p>\u2014 ANY.RUN (@anyrun_app) <a href=\"https:\/\/x.com\/anyrun_app\/status\/2062164959065231541?ref_src=twsrc%5Etfw\">June 3, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.x.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p class=\"wp-block-paragraph\">The combination of a trusted hosting platform, a convincing lure, and a fully in-memory payload gives attackers a meaningful advantage over the people they target.<a href=\"https:\/\/pushsecurity.com\/blog\/installfix\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/93cd0dc0-927a-4d90-b9b4-0b47e08dcae9\/Fake-Claude-Code-Installer-Via-Google-Sites-Deliver-Credential-Stealing-Malware_1.pdf?AWSAccessKeyId=ASIA2F3EMEYETXMN46HW&amp;Signature=2cdiaIrFTL%2FxMgycAUpO%2FX3XOZg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCY1FtdyR5b3E1hbRD3o38zL6OmB6BtxoOoTUMD92ElngIgYTU5laJ%2F%2BNieTK8XWohTLqIG%2FFECtfQPLdOJVdiHpX4q8wQIUBABGgw2OTk3NTMzMDk3MDUiDPuVRZqDlbM4LEpbaCrQBMVw28JoOmJp%2B5EV6BHQCHTyOE1rj028hChI%2BIOquGCwQjR50INO6BALFSaWdTJl%2BIhHGNLliMnT2F6l%2BedeHZMMwkYym5fNU%2F5GOd0oq8nfw5MRxqdd5F5Fkxs%2BTgf5CJhuq76JAqAu729Hpc0lR1me2OlSJ0nPzKRyhcQ6o1MKuTG3egBHE6mbuMRhWY%2Fi7qVf3rZXd1nerkOOIklol2EkkiZ3Ieg0oRq6nhE%2BXDOfpvY8FAn0fee%2BzIcUepG9sKJhz%2FT7xN2iQKnrTdfgPFC5toV4imQqACBx9EQdVLuX%2BYfIc0KUDaTouwrYtVwCTLi6BVU6D6v6oQfYcgHsFYQd7LpdE8BROiGmdJ6rnoNV2yEqKj6C4T9FxBfTIs3fJm7tK7Vf9sVMThZZ8jPi4KsedTfPMkIsCAfDC0YOBMWkVAaPbUvtqAjNoj%2FF3jGwyY0zYqwnqhF0kGC9rTH77vj7oUkGRUTzR0Pf63tqw6dO2yX7yvBMy5xNRrlv38pfDPZEhdGHR3Ez0xIGqqdlGkkuRi7LphhgLg9S30XKqyiMbHLQpSmUaCuwSA35WZfsPvckaIAyGzMRajAhURJM8EpURUeSLbSeOqiORtzo3WFSrPZqPgys06aWXRczaKk%2BStKnnv6dvFv20BWXFZdkpg5Hza%2FRA4bvWEiZXPN0dOz1Tyf41qmCUbh%2FfG%2FN%2FZz25QQsmu8ZKylpQRiqmtgjYzFScc0CgQMA2oDEHSqrKnhCpFDn%2BHahLEoPF%2BU5KyoPHAc2y1vwPHO6xlJtMRePdcsw87qE0QY6mAGrkm9dF21X%2BcGL9mUlTiW79U3D3LyICJN3G7aaSHlZnXfhw59gwA2Wkn%2FePmwoQmBBn4avWu89aTsQR9DZK0WD4xyFL5wLrDUaHcqvQTl6WXu%2FaBnLJisDJynjZAXA8j%2BsaPVakU0LKXEAIG3ESd9q2KCInwEGpFQGL7WWD4r5EKDVffMcMAuHO2xtRdYu%2FUtMsFMu5Ll9MA%3D%3D&amp;Expires=1780558662\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The impact of such an attack can be severe. <a href=\"https:\/\/cybersecuritynews.com\/cryptocore-cryptocurrency-scam-draining-wallets\/\" id=\"74531\" target=\"_blank\" rel=\"noreferrer noopener\">Stolen data includes saved browser passwords, email credentials, and cryptocurrency wallet<\/a> information, all of which are sent to attacker-controlled servers. <\/p>\n<p class=\"wp-block-paragraph\">Developers and professionals who regularly work with AI coding tools are at particular risk, since they are the most likely to follow command-line installation instructions without hesitation.<a href=\"https:\/\/www.forbes.com\/sites\/daveywinder\/2026\/05\/12\/developers-warned-as-fake-claude-code-installer-attacks-confirmed\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/93cd0dc0-927a-4d90-b9b4-0b47e08dcae9\/Fake-Claude-Code-Installer-Via-Google-Sites-Deliver-Credential-Stealing-Malware_1.pdf?AWSAccessKeyId=ASIA2F3EMEYETXMN46HW&amp;Signature=2cdiaIrFTL%2FxMgycAUpO%2FX3XOZg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCY1FtdyR5b3E1hbRD3o38zL6OmB6BtxoOoTUMD92ElngIgYTU5laJ%2F%2BNieTK8XWohTLqIG%2FFECtfQPLdOJVdiHpX4q8wQIUBABGgw2OTk3NTMzMDk3MDUiDPuVRZqDlbM4LEpbaCrQBMVw28JoOmJp%2B5EV6BHQCHTyOE1rj028hChI%2BIOquGCwQjR50INO6BALFSaWdTJl%2BIhHGNLliMnT2F6l%2BedeHZMMwkYym5fNU%2F5GOd0oq8nfw5MRxqdd5F5Fkxs%2BTgf5CJhuq76JAqAu729Hpc0lR1me2OlSJ0nPzKRyhcQ6o1MKuTG3egBHE6mbuMRhWY%2Fi7qVf3rZXd1nerkOOIklol2EkkiZ3Ieg0oRq6nhE%2BXDOfpvY8FAn0fee%2BzIcUepG9sKJhz%2FT7xN2iQKnrTdfgPFC5toV4imQqACBx9EQdVLuX%2BYfIc0KUDaTouwrYtVwCTLi6BVU6D6v6oQfYcgHsFYQd7LpdE8BROiGmdJ6rnoNV2yEqKj6C4T9FxBfTIs3fJm7tK7Vf9sVMThZZ8jPi4KsedTfPMkIsCAfDC0YOBMWkVAaPbUvtqAjNoj%2FF3jGwyY0zYqwnqhF0kGC9rTH77vj7oUkGRUTzR0Pf63tqw6dO2yX7yvBMy5xNRrlv38pfDPZEhdGHR3Ez0xIGqqdlGkkuRi7LphhgLg9S30XKqyiMbHLQpSmUaCuwSA35WZfsPvckaIAyGzMRajAhURJM8EpURUeSLbSeOqiORtzo3WFSrPZqPgys06aWXRczaKk%2BStKnnv6dvFv20BWXFZdkpg5Hza%2FRA4bvWEiZXPN0dOz1Tyf41qmCUbh%2FfG%2FN%2FZz25QQsmu8ZKylpQRiqmtgjYzFScc0CgQMA2oDEHSqrKnhCpFDn%2BHahLEoPF%2BU5KyoPHAc2y1vwPHO6xlJtMRePdcsw87qE0QY6mAGrkm9dF21X%2BcGL9mUlTiW79U3D3LyICJN3G7aaSHlZnXfhw59gwA2Wkn%2FePmwoQmBBn4avWu89aTsQR9DZK0WD4xyFL5wLrDUaHcqvQTl6WXu%2FaBnLJisDJynjZAXA8j%2BsaPVakU0LKXEAIG3ESd9q2KCInwEGpFQGL7WWD4r5EKDVffMcMAuHO2xtRdYu%2FUtMsFMu5Ll9MA%3D%3D&amp;Expires=1780558662\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-fake-claude-code-installer-via-google-sites\" class=\"wp-block-heading\"><strong>Fake Claude Code Installer Via Google Sites<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Victims are directed to a Google Sites page designed to look like a legitimate Claude Code or Codex installation guide. <\/p>\n<p class=\"wp-block-paragraph\">Once there, they are told to execute an mshta command, a built-in Windows utility, to complete the setup process. That single action is all it takes to kick off the entire attack chain.<a href=\"https:\/\/www.rapid7.com\/blog\/post\/ve-clickfix-phishing-campaign-fake-claude-installer\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/93cd0dc0-927a-4d90-b9b4-0b47e08dcae9\/Fake-Claude-Code-Installer-Via-Google-Sites-Deliver-Credential-Stealing-Malware_1.pdf?AWSAccessKeyId=ASIA2F3EMEYETXMN46HW&amp;Signature=2cdiaIrFTL%2FxMgycAUpO%2FX3XOZg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCY1FtdyR5b3E1hbRD3o38zL6OmB6BtxoOoTUMD92ElngIgYTU5laJ%2F%2BNieTK8XWohTLqIG%2FFECtfQPLdOJVdiHpX4q8wQIUBABGgw2OTk3NTMzMDk3MDUiDPuVRZqDlbM4LEpbaCrQBMVw28JoOmJp%2B5EV6BHQCHTyOE1rj028hChI%2BIOquGCwQjR50INO6BALFSaWdTJl%2BIhHGNLliMnT2F6l%2BedeHZMMwkYym5fNU%2F5GOd0oq8nfw5MRxqdd5F5Fkxs%2BTgf5CJhuq76JAqAu729Hpc0lR1me2OlSJ0nPzKRyhcQ6o1MKuTG3egBHE6mbuMRhWY%2Fi7qVf3rZXd1nerkOOIklol2EkkiZ3Ieg0oRq6nhE%2BXDOfpvY8FAn0fee%2BzIcUepG9sKJhz%2FT7xN2iQKnrTdfgPFC5toV4imQqACBx9EQdVLuX%2BYfIc0KUDaTouwrYtVwCTLi6BVU6D6v6oQfYcgHsFYQd7LpdE8BROiGmdJ6rnoNV2yEqKj6C4T9FxBfTIs3fJm7tK7Vf9sVMThZZ8jPi4KsedTfPMkIsCAfDC0YOBMWkVAaPbUvtqAjNoj%2FF3jGwyY0zYqwnqhF0kGC9rTH77vj7oUkGRUTzR0Pf63tqw6dO2yX7yvBMy5xNRrlv38pfDPZEhdGHR3Ez0xIGqqdlGkkuRi7LphhgLg9S30XKqyiMbHLQpSmUaCuwSA35WZfsPvckaIAyGzMRajAhURJM8EpURUeSLbSeOqiORtzo3WFSrPZqPgys06aWXRczaKk%2BStKnnv6dvFv20BWXFZdkpg5Hza%2FRA4bvWEiZXPN0dOz1Tyf41qmCUbh%2FfG%2FN%2FZz25QQsmu8ZKylpQRiqmtgjYzFScc0CgQMA2oDEHSqrKnhCpFDn%2BHahLEoPF%2BU5KyoPHAc2y1vwPHO6xlJtMRePdcsw87qE0QY6mAGrkm9dF21X%2BcGL9mUlTiW79U3D3LyICJN3G7aaSHlZnXfhw59gwA2Wkn%2FePmwoQmBBn4avWu89aTsQR9DZK0WD4xyFL5wLrDUaHcqvQTl6WXu%2FaBnLJisDJynjZAXA8j%2BsaPVakU0LKXEAIG3ESd9q2KCInwEGpFQGL7WWD4r5EKDVffMcMAuHO2xtRdYu%2FUtMsFMu5Ll9MA%3D%3D&amp;Expires=1780558662\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">From there, a multi-stage PowerShell sequence begins running in the background. One of the more technically interesting elements of this campaign is the use of steganography, where the malicious payload is hidden inside an image file and extracted only at runtime. <\/p>\n<p class=\"wp-block-paragraph\">This shellcode is then deployed and executed entirely inside a running PowerShell process, never touching the disk in a way that traditional antivirus tools would flag.<\/p>\n<p class=\"wp-block-paragraph\">The execution chain moves quickly and quietly: the Google Sites lure leads to the mshta command, which triggers PowerShell staging, which then extracts a hidden payload from an image, and finally runs shellcode in memory before pulling browser data, email credentials, and wallet information and exfiltrating everything to a remote attacker-controlled server.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/93cd0dc0-927a-4d90-b9b4-0b47e08dcae9\/Fake-Claude-Code-Installer-Via-Google-Sites-Deliver-Credential-Stealing-Malware_1.pdf?AWSAccessKeyId=ASIA2F3EMEYETXMN46HW&amp;Signature=2cdiaIrFTL%2FxMgycAUpO%2FX3XOZg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCY1FtdyR5b3E1hbRD3o38zL6OmB6BtxoOoTUMD92ElngIgYTU5laJ%2F%2BNieTK8XWohTLqIG%2FFECtfQPLdOJVdiHpX4q8wQIUBABGgw2OTk3NTMzMDk3MDUiDPuVRZqDlbM4LEpbaCrQBMVw28JoOmJp%2B5EV6BHQCHTyOE1rj028hChI%2BIOquGCwQjR50INO6BALFSaWdTJl%2BIhHGNLliMnT2F6l%2BedeHZMMwkYym5fNU%2F5GOd0oq8nfw5MRxqdd5F5Fkxs%2BTgf5CJhuq76JAqAu729Hpc0lR1me2OlSJ0nPzKRyhcQ6o1MKuTG3egBHE6mbuMRhWY%2Fi7qVf3rZXd1nerkOOIklol2EkkiZ3Ieg0oRq6nhE%2BXDOfpvY8FAn0fee%2BzIcUepG9sKJhz%2FT7xN2iQKnrTdfgPFC5toV4imQqACBx9EQdVLuX%2BYfIc0KUDaTouwrYtVwCTLi6BVU6D6v6oQfYcgHsFYQd7LpdE8BROiGmdJ6rnoNV2yEqKj6C4T9FxBfTIs3fJm7tK7Vf9sVMThZZ8jPi4KsedTfPMkIsCAfDC0YOBMWkVAaPbUvtqAjNoj%2FF3jGwyY0zYqwnqhF0kGC9rTH77vj7oUkGRUTzR0Pf63tqw6dO2yX7yvBMy5xNRrlv38pfDPZEhdGHR3Ez0xIGqqdlGkkuRi7LphhgLg9S30XKqyiMbHLQpSmUaCuwSA35WZfsPvckaIAyGzMRajAhURJM8EpURUeSLbSeOqiORtzo3WFSrPZqPgys06aWXRczaKk%2BStKnnv6dvFv20BWXFZdkpg5Hza%2FRA4bvWEiZXPN0dOz1Tyf41qmCUbh%2FfG%2FN%2FZz25QQsmu8ZKylpQRiqmtgjYzFScc0CgQMA2oDEHSqrKnhCpFDn%2BHahLEoPF%2BU5KyoPHAc2y1vwPHO6xlJtMRePdcsw87qE0QY6mAGrkm9dF21X%2BcGL9mUlTiW79U3D3LyICJN3G7aaSHlZnXfhw59gwA2Wkn%2FePmwoQmBBn4avWu89aTsQR9DZK0WD4xyFL5wLrDUaHcqvQTl6WXu%2FaBnLJisDJynjZAXA8j%2BsaPVakU0LKXEAIG3ESd9q2KCInwEGpFQGL7WWD4r5EKDVffMcMAuHO2xtRdYu%2FUtMsFMu5Ll9MA%3D%3D&amp;Expires=1780558662\"><\/a><\/p>\n<h2 id=\"h-steganography-and-in-memory-execution\" class=\"wp-block-heading\"><strong>Steganography and In-Memory Execution<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The use of steganography in this campaign reflects a broader shift in how attackers are designing their tools. <\/p>\n<p class=\"wp-block-paragraph\">By hiding shellcode inside image pixels rather than using standalone executable files, the attackers reduce the number of artifacts left behind on a victim\u2019s machine. Security Operations Center teams are left with very little to investigate after the fact.<a href=\"https:\/\/www.mishcon.com\/news\/from-clipboard-to-compromise-steganographic-techniques-observed-in-clickfix-campaign\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/93cd0dc0-927a-4d90-b9b4-0b47e08dcae9\/Fake-Claude-Code-Installer-Via-Google-Sites-Deliver-Credential-Stealing-Malware_1.pdf?AWSAccessKeyId=ASIA2F3EMEYETXMN46HW&amp;Signature=2cdiaIrFTL%2FxMgycAUpO%2FX3XOZg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCY1FtdyR5b3E1hbRD3o38zL6OmB6BtxoOoTUMD92ElngIgYTU5laJ%2F%2BNieTK8XWohTLqIG%2FFECtfQPLdOJVdiHpX4q8wQIUBABGgw2OTk3NTMzMDk3MDUiDPuVRZqDlbM4LEpbaCrQBMVw28JoOmJp%2B5EV6BHQCHTyOE1rj028hChI%2BIOquGCwQjR50INO6BALFSaWdTJl%2BIhHGNLliMnT2F6l%2BedeHZMMwkYym5fNU%2F5GOd0oq8nfw5MRxqdd5F5Fkxs%2BTgf5CJhuq76JAqAu729Hpc0lR1me2OlSJ0nPzKRyhcQ6o1MKuTG3egBHE6mbuMRhWY%2Fi7qVf3rZXd1nerkOOIklol2EkkiZ3Ieg0oRq6nhE%2BXDOfpvY8FAn0fee%2BzIcUepG9sKJhz%2FT7xN2iQKnrTdfgPFC5toV4imQqACBx9EQdVLuX%2BYfIc0KUDaTouwrYtVwCTLi6BVU6D6v6oQfYcgHsFYQd7LpdE8BROiGmdJ6rnoNV2yEqKj6C4T9FxBfTIs3fJm7tK7Vf9sVMThZZ8jPi4KsedTfPMkIsCAfDC0YOBMWkVAaPbUvtqAjNoj%2FF3jGwyY0zYqwnqhF0kGC9rTH77vj7oUkGRUTzR0Pf63tqw6dO2yX7yvBMy5xNRrlv38pfDPZEhdGHR3Ez0xIGqqdlGkkuRi7LphhgLg9S30XKqyiMbHLQpSmUaCuwSA35WZfsPvckaIAyGzMRajAhURJM8EpURUeSLbSeOqiORtzo3WFSrPZqPgys06aWXRczaKk%2BStKnnv6dvFv20BWXFZdkpg5Hza%2FRA4bvWEiZXPN0dOz1Tyf41qmCUbh%2FfG%2FN%2FZz25QQsmu8ZKylpQRiqmtgjYzFScc0CgQMA2oDEHSqrKnhCpFDn%2BHahLEoPF%2BU5KyoPHAc2y1vwPHO6xlJtMRePdcsw87qE0QY6mAGrkm9dF21X%2BcGL9mUlTiW79U3D3LyICJN3G7aaSHlZnXfhw59gwA2Wkn%2FePmwoQmBBn4avWu89aTsQR9DZK0WD4xyFL5wLrDUaHcqvQTl6WXu%2FaBnLJisDJynjZAXA8j%2BsaPVakU0LKXEAIG3ESd9q2KCInwEGpFQGL7WWD4r5EKDVffMcMAuHO2xtRdYu%2FUtMsFMu5Ll9MA%3D%3D&amp;Expires=1780558662\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/new-xworm-v6-variant-injects-malicious-code\/\" id=\"128810\" target=\"_blank\" rel=\"noreferrer noopener\">Since the malicious process runs inside a legitimate Windows program<\/a> like PowerShell, network monitoring tools may interpret the outbound traffic as entirely routine activity. <\/p>\n<p class=\"wp-block-paragraph\">This level of operational camouflage is part of what makes this campaign particularly difficult to defend against without behavioral detection in place.<a href=\"https:\/\/www.mishcon.com\/news\/from-clipboard-to-compromise-steganographic-techniques-observed-in-clickfix-campaign\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/93cd0dc0-927a-4d90-b9b4-0b47e08dcae9\/Fake-Claude-Code-Installer-Via-Google-Sites-Deliver-Credential-Stealing-Malware_1.pdf?AWSAccessKeyId=ASIA2F3EMEYETXMN46HW&amp;Signature=2cdiaIrFTL%2FxMgycAUpO%2FX3XOZg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCY1FtdyR5b3E1hbRD3o38zL6OmB6BtxoOoTUMD92ElngIgYTU5laJ%2F%2BNieTK8XWohTLqIG%2FFECtfQPLdOJVdiHpX4q8wQIUBABGgw2OTk3NTMzMDk3MDUiDPuVRZqDlbM4LEpbaCrQBMVw28JoOmJp%2B5EV6BHQCHTyOE1rj028hChI%2BIOquGCwQjR50INO6BALFSaWdTJl%2BIhHGNLliMnT2F6l%2BedeHZMMwkYym5fNU%2F5GOd0oq8nfw5MRxqdd5F5Fkxs%2BTgf5CJhuq76JAqAu729Hpc0lR1me2OlSJ0nPzKRyhcQ6o1MKuTG3egBHE6mbuMRhWY%2Fi7qVf3rZXd1nerkOOIklol2EkkiZ3Ieg0oRq6nhE%2BXDOfpvY8FAn0fee%2BzIcUepG9sKJhz%2FT7xN2iQKnrTdfgPFC5toV4imQqACBx9EQdVLuX%2BYfIc0KUDaTouwrYtVwCTLi6BVU6D6v6oQfYcgHsFYQd7LpdE8BROiGmdJ6rnoNV2yEqKj6C4T9FxBfTIs3fJm7tK7Vf9sVMThZZ8jPi4KsedTfPMkIsCAfDC0YOBMWkVAaPbUvtqAjNoj%2FF3jGwyY0zYqwnqhF0kGC9rTH77vj7oUkGRUTzR0Pf63tqw6dO2yX7yvBMy5xNRrlv38pfDPZEhdGHR3Ez0xIGqqdlGkkuRi7LphhgLg9S30XKqyiMbHLQpSmUaCuwSA35WZfsPvckaIAyGzMRajAhURJM8EpURUeSLbSeOqiORtzo3WFSrPZqPgys06aWXRczaKk%2BStKnnv6dvFv20BWXFZdkpg5Hza%2FRA4bvWEiZXPN0dOz1Tyf41qmCUbh%2FfG%2FN%2FZz25QQsmu8ZKylpQRiqmtgjYzFScc0CgQMA2oDEHSqrKnhCpFDn%2BHahLEoPF%2BU5KyoPHAc2y1vwPHO6xlJtMRePdcsw87qE0QY6mAGrkm9dF21X%2BcGL9mUlTiW79U3D3LyICJN3G7aaSHlZnXfhw59gwA2Wkn%2FePmwoQmBBn4avWu89aTsQR9DZK0WD4xyFL5wLrDUaHcqvQTl6WXu%2FaBnLJisDJynjZAXA8j%2BsaPVakU0LKXEAIG3ESd9q2KCInwEGpFQGL7WWD4r5EKDVffMcMAuHO2xtRdYu%2FUtMsFMu5Ll9MA%3D%3D&amp;Expires=1780558662\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Security researchers recommend treating any webpage that asks you to copy and paste a command with a high level of suspicion, even if the site looks official. <\/p>\n<p class=\"wp-block-paragraph\">Users should always verify installation instructions through a tool\u2019s official documentation or its original GitHub repository rather than following prompts from search results or unfamiliar websites. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/hackers-using-ai-red-team-tools\/\" id=\"151766\" target=\"_blank\" rel=\"noreferrer noopener\">Organizations should also deploy endpoint detection tools<\/a> capable of behavioral analysis, which can identify suspicious PowerShell activity even when no traditional malware file is written to disk.<\/p>\n<p class=\"wp-block-paragraph\" id=\"h-indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The source material did not include specific file hashes, IP addresses, or domains in directly extractable form. <\/p>\n<p class=\"wp-block-paragraph\">However, the ANY.RUN sandbox analysis sessions referenced in the source provide the following trackable artifacts:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>URL<\/td>\n<td><code>sites.google.com\/view\/clau-ver-un-24<\/code><\/td>\n<td>Google Sites lure page impersonating Claude Code installer<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>app.any.run\/tasks\/698e0bd5-01b6-40fe-814c-5c0885cea645<\/code><\/td>\n<td>ANY.RUN sandbox analysis session for Claude lure<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>app.any.run\/tasks\/151cfb30<\/code><\/td>\n<td>ANY.RUN sandbox analysis session for Codex lure<\/td>\n<\/tr>\n<tr>\n<td>Process<\/td>\n<td><code>mshta.exe<\/code><\/td>\n<td>Windows utility abused to initiate the ClickFix attack chain<\/td>\n<\/tr>\n<tr>\n<td>Process<\/td>\n<td><code>powershell.exe<\/code><\/td>\n<td>Used for multi-stage payload delivery and in-memory shellcode execution<\/td>\n<\/tr>\n<tr>\n<td>Tactic<\/td>\n<td>ClickFix via Google Sites<\/td>\n<td>Social engineering lure directing victims to execute mshta command<\/td>\n<\/tr>\n<tr>\n<td>Data Target<\/td>\n<td>Browser, email, crypto wallets<\/td>\n<td>Categories of credentials stolen and exfiltrated to C2 infrastructure<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p class=\"wp-block-paragraph\">\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/fake-claude-code-installer-via-google-sites\/\">Fake Claude Code Installer Via Google Sites Deliver Credential-Stealing Malware<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/fake-claude-code-installer-via-google-sites\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fake Claude Code Installer Via Google Sites Deliver Credential-Stealing Malware Cybercriminals have found a new and clever way to exploit the growing popularity of AI developer tools. A recently identified campaign uses fake pages mimicking Claude Code and OpenAI Codex, hosted on trusted Google Sites infrastructure, to trick users into running commands that quietly steal [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13370","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13370"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13370"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13370\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}