2026-05-135 minhigh

Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do

Threat actors are actively exploiting the recent Claude Code packaging error by hosting fake GitHub repositories that distribute trojanized archives. These archives contain a Rust-compiled dropper that deploys Vidar, GhostSocks, and PureLog Stealer to harvest credentials and establish residential proxies on compromised Windows systems.

Sens:■ ImmediateConf:highAnalyzed:2026-04-07reports

Authors: Jacob Santos

Actorsidbzoomh1idbzoomhVidarGhostSocksPureLog Stealer

GitHub Lure PureLog Stealer GhostSocks Vidar Claude Code

Source:Trend Micro

IOCs · 5

domain
rti[[.]]cargomanbd[[.]]comVidar C2 server
url
hxxps[:]//github[.]com/leaked-claude-code/leaked-claude-code/releases/download/leaked-claude-code/Claude_code_x64[.]7zCurrent payload download URL
url
hxxps://github[[.]]com/leaked-claude-code/leaked-claude-codeMalicious GitHub repository acting as the primary distribution hub
url
pastebin[.]com/raw/mcwWi1UeMalicious infrastructure / Disease Vector
url
snippet[.]host/efguhk/rawMalicious infrastructure / Disease Vector

Key Takeaways

Attackers exploited the Claude Code packaging error to distribute malware via fake GitHub repositories.
Payloads include Vidar, GhostSocks, and PureLog Stealer, enabling credential theft and residential proxy abuse.
The campaign uses trojanized archives containing a Rust-compiled dropper.
Threat actors are actively cycling through over 25 software brands to distribute these payloads.

Affected Systems

Windows

Attack Chain

Threat actors lure victims to malicious GitHub repositories masquerading as leaked Claude Code source code. Victims download a trojanized 7z archive containing a Rust-compiled dropper (e.g., ClaudeCode_x64.exe). Upon execution, the dropper uses PowerShell to disable Windows Defender and bypass AMSI, while establishing persistence via Registry Run keys and Scheduled Tasks. Finally, it deploys Vidar, GhostSocks, and PureLog Stealer to exfiltrate credentials to attacker-controlled C2 servers and establish a SOCKS5 proxy on the victim's machine.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: Yes
Platforms: TrendAI Vision One

TrendAI Vision One provides specific hunting queries for malware detection events and C2 communication, alongside behavioral OAT alerts.

Detection Engineering Assessment

EDR Visibility: High — The attack involves multiple process executions (Rust dropper, PowerShell, schtasks), registry modifications, and AMSI/Defender tampering, which are highly visible to modern EDRs. Network Visibility: Medium — C2 communication and proxy traffic (GhostSocks on specific ports) can be detected, though initial downloads are over HTTPS from legitimate services like GitHub. Detection Difficulty: Moderate — While the initial lure uses legitimate platforms (GitHub), the subsequent behavior (disabling Defender, establishing proxies, dropping known stealers) generates significant noise.

Required Log Sources

Process Creation (Event ID 4688 / Sysmon 1)
PowerShell Operational Logs (Event ID 4104)
Network Connections (Sysmon 3)
Registry Events (Sysmon 12, 13, 14)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected inbound network connections on TCP ports 57001, 57002, and 56001, which may indicate GhostSocks proxy activity.	Network flow logs, Host firewall logs	Command and Control	Low
Identify PowerShell executions containing commands to disable Windows Defender, modify firewall rules, or bypass AMSI, especially when spawned by unusual parent processes like extracted archive executables.	Process creation logs, PowerShell script block logging	Defense Evasion	Low
Monitor for the creation of suspicious executables (e.g., ClaudeCode_x64.exe, TradeAI.exe) in %TEMP% or %APPDATA% directories followed by outbound network connections.	File creation logs, Process creation logs	Execution	Medium

Control Gaps

Lack of strict application control allowing execution of unsigned binaries from user directories
Permissive outbound network filtering allowing connections to unknown domains/paste sites

Key Behavioral Indicators

PowerShell spawned with hidden windows and encoded commands
Modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creation of scheduled tasks by non-system processes

False Positive Assessment

Low. The combination of specific file names (ClaudeCode_x64.exe), known malicious C2 domains, and aggressive defense evasion behaviors (disabling Defender) provides high-fidelity detection opportunities.

Recommendations

Immediate Mitigation

Block known C2 domains and URLs at the network perimeter.
Search endpoints for the presence of TradeAI.exe, ClaudeCode_x64.exe, or Claude_Code_x64.exe.
Rotate all credentials on potentially compromised machines, including browser passwords, crypto wallets, and API/SSH keys.

Infrastructure Hardening

Implement firewall rules to block unexpected inbound connections on TCP ports 57001, 57002, and 56001.
Restrict execution of unapproved binaries from %TEMP% and %APPDATA% directories.

User Protection

Ensure endpoint protection agents are updated with the latest signatures (e.g., Smart Scan Agent Pattern 20.863 or later).
Enable AMSI and tamper protection for Windows Defender to prevent unauthorized disabling.

Security Awareness

Educate developers and researchers about the risks of downloading unverified code from unofficial GitHub repositories, especially during high-profile leaks or incidents.

MITRE ATT&CK Mapping

T1189 - Drive-by Compromise
T1059.001 - Command and Scripting Interpreter: PowerShell
T1562.001 - Impair Defenses: Disable or Modify Tools
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1053.005 - Scheduled Task/Job: Scheduled Task
T1090 - Proxy
T1552.001 - Unsecured Credentials: Credentials In Files

Additional IOCs

Domains:
- rti[[.]]cargomanbd[[.]]com - Vidar C2 server
Urls:
- hxxps://github[[.]]com/leaked-claude-code/leaked-claude-code - Malicious GitHub repo
- hxxps[:]//github[.]com/leaked-claude-code/leaked-claude-code/releases/download/leaked-claude-code/Claude_code_x64[.]7z - Payload download
- pastebin[.]com/raw/mcwWi1Ue - Malicious infrastructure
- snippet[.]host/efguhk/raw - Malicious infrastructure
Registry Keys:
- HKLM\SOFTWARE\M...\Run - Observed persistence mechanism via Run key (from execution profile image)
File Paths:
- %TEMP% - Potential drop location for extracted executables
- %APPDATA% - Potential drop location for extracted executables
Command Lines:
- Purpose: Disable Windows Defender and bypass AMSI | Tools: powershell.exe | Stage: Defense Evasion | powershell.exe" -NoProfile -No...
- Purpose: Establish persistence via Scheduled Tasks | Tools: schtasks.exe | Stage: Persistence | schtasks.exe
Other:
- blactethe1061@outlook.com - Threat actor email
- idbzoomh1 - Threat actor GitHub account
- TCP 57001, 57002, 56001 - GhostSocks proxy inbound connection ports
- TradeAI.exe - Dropper executable name
- Claude_Code_x64.exe - Dropper executable name
- OneSync.exe - Observed process in execution chain
- EdgeUpdateSvc.exe - Observed process in execution chain
- localvideo.exe - Observed process in execution chain
- OneDriveSync.exe - Observed process in execution chain