7 minhigh
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
Following an accidental source code leak of Anthropic's Claude Code via npm, threat actors rapidly deployed fake GitHub repositories to distribute a Rust-compiled dropper. This dropper, part of a broader rotating-lure campaign, deploys Vidar stealer and GhostSocks proxy while utilizing extensive anti-analysis checks and PowerShell to disable Windows Defender.
Sens:■ ImmediateConf:highAnalyzed:2026-04-04reports
Authors: Jacob Santos, Sophia Nilette Robles, Jeffrey Francis Bonaobra
ActorsVidar stealerGhostSocksTradeAI campaign
Source:
Trend Micro
IOCs · 4
- domainrti[.]cargomanbd[.]comVidar C&C server identified in hunting queries
- urlgithub[.]com/leaked-claude-code/leaked-claude-codeMalicious GitHub repository distributing trojanized payloads
- urlhxxps://pastebin[[.]]com/raw/mcwWi1UePrimary driver list URL used by the dropper for C2 communication
- urlhxxps://snippet[[.]]host/efguhk/rawBackup driver list URL used by the dropper for C2 communication
Key Takeaways
- Anthropic accidentally leaked internal Claude Code source via an npm package misconfiguration, exposing 512,000 lines of code.
- Threat actors weaponized the leak within 24 hours, distributing Vidar stealer and GhostSocks proxy via fake GitHub repositories.
- The campaign uses a Rust-compiled dropper (TradeAI.exe) with extensive anti-analysis, VM detection, and sandbox evasion techniques.
- An embedded PowerShell payload systematically disables Windows Defender features and modifies firewall rules to allow C2 communication.
- The leaked source code itself poses long-term risks, including vulnerability discovery and prompt injection blueprinting.
Affected Systems
- Windows
- Developer Environments
- Gaming PCs
Attack Chain
Victims are lured to fake GitHub repositories promising leaked Claude Code or other popular software. They download a trojanized 7z archive containing a Rust-compiled dropper (e.g., TradeAI.exe). Upon execution, the dropper performs extensive anti-analysis checks, decrypts an embedded PowerShell payload to disable Windows Defender and modify firewall rules, and establishes C2 communication. Finally, it deploys Vidar stealer to exfiltrate credentials and GhostSocks to establish a proxy on the infected host.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: TrendAI Vision One
TrendAI Vision One provides specific hunting queries to detect Vidar and GhostSocks malware events, as well as network connections to known C&C servers like rti.cargomanbd.com.
Detection Engineering Assessment
EDR Visibility: High — The malware relies heavily on PowerShell to modify Defender settings and firewall rules, which are highly visible in EDR telemetry (AMSI, process creation, registry modifications). Network Visibility: Medium — C2 communication uses standard HTTP/HTTPS to Pastebin and snippet.host, which may blend with legitimate traffic, but the specific URLs and fallback mechanisms can be monitored. Detection Difficulty: Moderate — The Rust dropper's anti-analysis and XOR encryption make static analysis difficult, but the noisy PowerShell execution to disable Defender provides strong behavioral detection opportunities.
Required Log Sources
- Process Creation (Event ID 4688)
- PowerShell Operational (Event ID 4104)
- Windows Defender Operational
- Windows Firewall Operational
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for PowerShell execution containing multiple Add-MpPreference commands to add exclusions for common directories like C:\Users or $env:TEMP. | PowerShell Script Block Logging (Event ID 4104) | Defense Evasion | Low |
| Identify processes querying the HARDWARE\DESCRIPTION\System\CentralProcessor\0 registry key followed by outbound network connections to pastebin.com or snippet.host. | EDR Process and Network Events | Discovery / Command and Control | Medium |
| Monitor for the creation of inbound TCP firewall rules for ports 57001, 57002, or 56001 via PowerShell. | Windows Firewall Logs / EDR Command Line | Defense Evasion | Low |
| Detect execution of binaries with names matching popular AI tools (e.g., ClaudeCode_x64.exe) originating from extracted 7z archives in user download directories. | EDR File Creation and Process Execution | Execution | Low |
Control Gaps
- Lack of strict application control allowing execution of unsigned binaries from user directories
- Permissive outbound network access to paste sites
Key Behavioral Indicators
- PowerShell disabling Defender features (-DisableBlockAtFirstSeen, -MAPSReporting 0)
- Environment variable 'cryptify_keyd3d' usage
- Process tree: svchost.exe -> ClaudeCode_x64.exe -> powershell.exe
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block access to the identified C2 URLs and domains.
- Search endpoints for files named ClaudeCode_x64.exe, TradeAI.exe, or related 7z archives.
- Isolate hosts showing signs of Vidar or GhostSocks infection.
Infrastructure Hardening
- Restrict execution of unsigned binaries from user profile directories.
- Implement strict outbound firewall rules to block unnecessary access to paste sites and untrusted domains.
- Ensure Windows Defender Tamper Protection is enabled to prevent malicious PowerShell scripts from disabling security features.
User Protection
- Deploy EDR solutions with behavioral monitoring to catch anti-analysis and Defender tampering activities.
- Enforce policies requiring developers to install tools only from official, verified sources.
Security Awareness
- Train developers and users on the risks of downloading software from unverified GitHub repositories or third-party links.
- Highlight the specific tactic of threat actors using trending topics (like leaked source code) as lures.
MITRE ATT&CK Mapping
- T1608.001 - Stage Capabilities: Upload Malware
- T1585.003 - Establish Accounts: Social Media Accounts
- T1566.002 - Phishing: Spearphishing Link
- T1204.002 - User Execution: Malicious File
- T1027 - Obfuscated Files or Information
- T1497.001 - Virtualization/Sandbox Evasion: System Checks
- T1555 - Credentials from Password Stores
- T1005 - Data from Local System
- T1102.001 - Web Service: Dead Drop Resolver
- T1090.003 - Proxy: Multi-hop Proxy
- T1041 - Exfiltration Over C2 Channel
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1059.001 - Command and Scripting Interpreter: PowerShell
Additional IOCs
- Domains:
rti[.]cargomanbd[.]com- Vidar C&C server
- Urls:
github[.]com/Kawaii-GPT-ai/KawaiiGPT/releases/- KawaiiGPT lure repositorygithub[.]com/ai-wormGPT/wormGPT/releases/- WormGPT lure repositorygithub[.]com/claude-ai-opus-4-6/claude-opus-4.6/releases/- Claude Opus 4.6 lure repositorygithub[.]com/realtime-voice-changer-app/realtime-voice-changer/releases/- Voicemod lure repositorygithub[.]com/LTX-desktop/LTX-2.3/releases/- LTX video editor lure repositorygithub[.]com/nvidia-nemoclaw/NemoClaw/releases/- NVIDIA NemoClaw lure repository
- Registry Keys:
HARDWARE\DESCRIPTION\System\CentralProcessor\0- Queried by malware to collect CPU informationHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run- Targeted for persistence (observed in execution profile)
- File Paths:
C:\Users- Added to Windows Defender exclusion paths$env:TEMP- Added to Windows Defender exclusion pathsC:\ProgramData- Added to Windows Defender exclusion pathsC:\OneDriveTemp- Added to Windows Defender exclusion pathsC:\Users\Public- Added to Windows Defender exclusion pathsC:\Windows- Added to Windows Defender exclusion paths
- Command Lines:
- Purpose: Disable Windows Defender MAPS Reporting | Tools:
PowerShell,Add-MpPreference| Stage: Defense Evasion |-MAPSReporting 0 - Purpose: Disable Windows Defender Block at First Seen | Tools:
PowerShell| Stage: Defense Evasion |-DisableBlockAtFirstSeen $true - Purpose: Disable Windows Defender Sample Submission | Tools:
PowerShell| Stage: Defense Evasion |-SubmitSamplesConsent NeverSend - Purpose: Disable Windows Defender Cloud Block Level | Tools:
PowerShell| Stage: Defense Evasion |-CloudBlockLevel 0 - Purpose: Disable Windows Defender PUA Protection | Tools:
PowerShell| Stage: Defense Evasion |-PUAProtection disable - Purpose: Disable Windows Defender IOAV Protection | Tools:
PowerShell| Stage: Defense Evasion |-DisableIOAVProtection $true - Purpose: Disable Windows Defender Behavior Monitoring | Tools:
PowerShell| Stage: Defense Evasion |-DisableBehaviorMonitoring $true - Purpose: Add Windows Defender path exclusions | Tools:
PowerShell,Add-MpPreference| Stage: Defense Evasion |Add-MpPreference -ExclusionPath - Purpose: Add Windows Defender process exclusions for PowerShell | Tools:
PowerShell,Add-MpPreference| Stage: Defense Evasion |Add-MpPreference -ExclusionProcess 'powershell.exe' - Purpose: Create inbound firewall rules for C2 communication | Tools:
PowerShell,New-NetFirewallRule| Stage: Defense Evasion - Purpose: Execute decoded PowerShell payload | Tools:
PowerShell| Stage: Execution |powershell.exe" -NoProfile -No...
- Purpose: Disable Windows Defender MAPS Reporting | Tools:
- Other:
idbzoomh- Threat actor GitHub accountidbzoomh1- Threat actor GitHub accountmy3jie- Threat actor GitHub accountcryptify_keyd3d- Environment variable checked for XOR decryption keyxnasff3wcedj- Hardcoded default XOR decryption key