Rectifyq📃Title: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
📅Date: 2026-05-05
🔗References:
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: malware-analysis
- sub-category: campaign-analysis
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer= Trend-Micro
- target-information=“Malaysia”
- target-information=“Netherlands”
- target-information=“Thailand”
- target-information=“United States”
- sector=“Education”
- sector=“Electronic”
- sector=“Food”
- sector=“Government, Administration”
- mitre-attack-pattern=[‘T1559.001’, ‘T1562’, ‘T1583.008’, ‘T1218.005’, ‘T1027’, ‘T1059.001’, ‘T1566.002’, ‘T1059.005’]
MISP event uuid: e30b1a07-b830-46e2-bf69-e67eee29d4af
Indicator of Compromise (IoCs)
type,value,comment
md5, 45029deaf9033802d08b5f82b77978fa, 'claude.msixbundle (ZIP/HTA polyglot, Stage 2)'
md5, 67640d4378e7c13110c7ee268c667c43, '(FINAL SHELLCODE)'
md5, d62297e291f43469181785a9d9131e37, 'cloude-91267b64-989f-49b4-89b4-984e0154d4d1 (Stage 4 fileless payload)'
hostname, download-version.1-5-8.com, 'Payload host (Stage 2) - Disease vector'
hostname, hosted-by.yeezyhost.net, 'Resolves to 77[.]91[.]97[.]244 - Disease vector'
ip-dst, 77.91.97.244, 'C&C attempt over TCP/443; resolves to hosted-by.yeezyhost[.]net'
domain, oakenfjrod.ru, 'C&C domain (Stage 4) - Disease vector'
url, https://download-version.1-5-8.com/claude.msixbundle, 'Disease vector'
url, oakenfjrod.ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1, 'Disease vector'
ip-dst, 185.177.239.255, 'Outbound - C&C server'
ip-dst, 104.21.0.95, 'Outbound - Untested'
Full IOCs available in Rectifyq’s MISP