#threatreport #HighCompleteness Bad Ads, Worse Binaries: Fake Claude Code Installer Drops Infostealer | 28-05-2026 Source: cyderes.com/howler-cell/fake… Key details below ↓ 💀Threats: Lorem_ipsum, Seo_poisoning_technique, Clickfix_technique, Amsi_bypass_technique, Bloat_technique, Cobalt_strike_tool, Donut, Sharpsploit, Medusalocker, 🎯Victims: Claude code users, Small business, Education, Entrepreneurs 🏭Industry: Software_development, Transport 🌐Geo: Russian 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 10 🧨IOCs: - IP: 2 - File: 6 - Domain: 2 - Url: 2 💽Software: Claude, Anthropic, NET Framework, Event Tracing for Windows 🔢Algorithms: md5, xor, base64, rc4 📜Programming Languages: powershell #threatreport: Howler Cell has uncovered a sophisticated SEO poisoning campaign that targets users looking for Claude Code installation guides. This attack vector involved placing a counterfeit installation page at the top of search results, where unwitting users might click through, believing they were following legitimate setup instructions. By employing a ClickFix lure, attackers prompted victims to execute a malicious MSHTA command via the Windows Run dialog. The delivery chain comprises six intricate stages, becoming fileless after the initial execution stage, making it adept at circumventing traditional detection methods such as file inspection and endpoint detection response (EDR) telemetry. The final payload, a reflective .NET-based infostealer, communicates with Russian infrastructure for credential exfiltration, specifically targeting sensitive information using HTTPS. The initial access point exploits SEO poisoning, where a victim searching for how to install Claude Code mistakenly clicks a fraudulent link that resembles a legitimate download page. The ClickFix technique effectively leverages the target's lack of experience, as first-time users are lulled into pasting commands they presume to be part of standard installation procedures. Notably, the trusted installation guide provided no immediate distinguishing features to trigger skepticism. In the second stage of the attack chain, the HTA file creates a scheduled task that invokes cmd.exe with a PowerShell loader. This loader incorporates various evasion techniques, such as avoiding static signature detection through split variable reconstructions and dynamically referencing script payloads to establish persistence. The PowerShell execution bypasses AMSI (Anti-Malware Scan Interface) protections and fingerprints victims to devise unique subdomains for further payload delivery. The subsequent stage, which retrieves and executes a significantly large PowerShell script from a malicious per-victim subdomain, employs extensive obfuscation tactics. The 17 MB script not only exceeds typical legitimate file sizes but also contains intricate layers of encoded byte arrays and variables that challenge standard static analysis approaches. This file size is purposely designed to strain analytical tools and evade detection during sandbox testing. In the final stage, the attack culminates in the execution of a reflective .NET infostealer entirely in-memory, thus leaving no discernible traces on disk. Unlike typical malware that writes files to disk, this infostealer operates within the PowerShell process address space, loading managed code directly from memory—which complicates detection efforts even further. The attackers meticulously designed their approach to evade various detection measures, including AMSI, DNS reputation monitoring, and process-based heuristics. The overall campaign stands out not for the novelty of each individual technique, but rather for its targeting of a rapidly growing demographic of non-technical users who possess limited awareness of potential threats, alongside the strategic positioning of malicious content within search engine results.

Walk-through of Jack Halon's "Utilizing Syscalls in C# — Part 2" post: building a direct-syscall NtCreateFile PoC in C# .NET 3.5, extracting the syscall stub from ntdll in WinDbg, mapping it as executable memory with VirtualProtect, invoking it through a P/Invoke delegate, and verifying via Process Monitor that the call goes straight to the kernel without touching ntdll's NtCreateFile prologue. core-jmp.org/2026/06/red-tea… #NET #C# #DefenseEvasion #DirectSyscalls #EDR #EDRBypass #EDREvasion #NativeAPI #NtCreateFile #PInvoke #ProcessInjection #RedTeaming #SharpSploit #Syscalls #SysWhispers #WinDBG

I just brought an old friend back to life. Added Net 4.8 support removed a ton of old functions which had embedded projects and used the Sharpsploit library, and rebuild the command options to use PInvoke with no extra dependencies, all of that has been stripped. Funny using it after quite some time, still detected because of the names 🤣 but that can change. #redteam

Similar approach to what I put into SharpSploit years ago. Though the CLR does the heavy lifting. github.com/cobbr/SharpSploit…

I just published Home Grown Red Team: UAC Bypass On Windows Defender For Endpoint With HighBorn Learn how to integrate the SharpSploit library into your own exploits! link.medium.com/cLY3OT74zub

Did something kinda wild and tried to generate Python type stubs for the .NET/Core frameworks to use with pythonnet cause I was tired of not having autocomplete. Also tested Sharpsploit for no real reason. github.com/daddycocoaman/dot… github.com/daddycocoaman/PyS… Mostly works. 🤷🏿‍♂️

Tomorrow's stream we will look into an older project of mine, NetLoader! Just pushed the un-obfuscated source code, as well as SharpSploit implementation. Join me Sunday at 16:00 UTC twitch.tv/flangvik

post exploitation frameworks and tools: -1-p0wnedShell -2-metasploit -3-empire -4-pupy -5-Bashark -6-merlin -7-linenum -8-SharpSploit -9-Ghost -10-SILENTTRINITY -11-shad0w -12-PoshC2 -13-mimikittenz -14-rtfm -15-cobalt strike

SafetyKatz? SharpDump? SharpDPAPI? SharpSploit?

Dynamic invocation (also known as D/Invoke) – a sub branch of the popular “Sharpsploit” project, can help with evading those pesky EDR’s and execute your payloads successfully. Defeating EDR's using D/Invoke youtu.be/d_Z_WV9fp9Q via @YouTube

Defenders memory scan trigger is done at kernel level when certain syscall's are made. No amount of direct syscall is going to help you there I'm afraid. It's probably triggering on SharpSploit in memory.

Covenant the .NET based C2 on Kali Linux #C2 #KaliLinux #SharpSploit #exploit #payloads #PowerSploit @Emrullah_A reconshell.com/covenant-the-…

Our lab rats have been busy! 🔥🐀 In our latest post, @Jean_Maes_1994 explains how D/Invoke can be used to bypass hooking. Shoutout to @cobbr_io for the Sharpsploit project, @Fuzzysec and @TheRealWover for their work on D/Invoke blog.nviso.eu/2020/11/20/dyn…

Process Injection using CreateProcess and QueueUserAPC to inject in a new process. Using D/Invoke, compatible with Gadget2Jscript. Thx to @Flangvik for inspiration, @am0nsec for guidance and @TheRealWover and @FuzzySec for SharpSploit :) gist.github.com/jfmaes/94499…

@_xpn_ "so I spent a few nights" = invented a new C# injection method @byt3bl33d3r What would the world be without CME? @cobbr_io SharpSploit & Covenant, C# monster! @TheRealWover The only Donut for #RedTeamFit ! @matterpreter But HOW??? -> DefenderChecker -> "Ahhhhhhh"

Reimplemented shellcode injection via process hollowing using the new(ish) DInvoke tooling from SharpSploit. Got me around Defender and Symantec for some recent engagements. It's super easy to implement in existing tools. github.com/passthehashbrowns…

Great stuff! Below is the same example that includes the needed coded carved from the SharpSploit! Minimalistic gist.github.com/Flangvik/4c1…

SharpSploit github.com/cobbr/SharpSploit

Just updated github.com/Flangvik/BetterSa…, replaced @subtee PE-Loader with DInvoke from SharpSploit! Awesome work @TheRealWover @cobbr_io

Emulating Covert Operations - Dynamic Invocation (Avoiding PInvoke & API Hooks) : thewover.github.io/Dynamic-I… credits @TheRealWover SharpSploit : Bypassing API Hooks via DInvoke and Manual Mapping from The Wover : vimeo.com/406589341