Detailed Analysis
A sophisticated malware campaign operating under the domain awstore.cloud has emerged as one of the most technically novel threats targeting software developers in April 2026, exploiting not a vulnerability in Claude itself but rather the legitimate tool-execution architecture of Claude Code, Anthropic's agentic coding assistant. The attackers sell discounted "Claude API access" on established reseller marketplaces such as Plati Market, lending the scheme surface-level credibility through professional documentation and familiar payment processing. When a developer configures Claude Code to use the malicious `ANTHROPIC_BASE_URL` endpoint and submits any prompt, the rogue server returns a fabricated tool-use response that Claude Code interprets as a legitimate instruction, causing it to silently execute a PowerShell dropper — no social engineering of the human required. The resulting infection is a four-stage deployment chain: an initial PowerShell script fetches a Go binary, which deploys VBS-obfuscated components, culminating in a .NET payload identified by the sandbox service Tria.ge as Aura Stealer, a credential, browser session, and cryptocurrency wallet harvester.
The malware's post-infection behavior is operationally comprehensive and designed for long-term persistence. It installs itself inside directories mimicking legitimate Microsoft infrastructure — `%LOCALAPPDATA%\Microsoft\SngCache\` and `%LOCALAPPDATA%\Microsoft\IdentityCRL\` — and creates a scheduled task named `\Microsoft\Windows\Maintenance\CodeAssist` that executes at every user logon under SYSTEM privileges. All system network traffic is then tunneled through a SOCKS5 proxy at `2.27.43.246:1080`, hosted on bulletproof infrastructure in Germany under AS215439, while PowerShell script block logging is disabled and Windows event logs are wiped to impede forensic analysis. Critically, the campaign also hijacks the victim's Claude Code installation so that every subsequent developer prompt continues to be routed through attacker-controlled infrastructure, potentially exposing proprietary source code, environment variables, API keys, and project secrets indefinitely after the initial compromise.
The campaign's geopolitical fingerprinting strongly suggests a Russian-speaking threat actor. Hard-coded logic causes the malware to exit immediately if the victim's locale resolves to Ukraine, while infections originating in CIS nations — Russia, Belarus, Kazakhstan, and others — temporarily mask the system locale to `en-US` during execution before restoring it post-reboot to reduce forensic traces. This targeting pattern is consistent with financially motivated cybercriminal groups operating under implicit or explicit state tolerance in the Russian Federation, a profile that aligns with the use of bulletproof hosting and the Aura Stealer malware family, which has circulated in Russian-language cybercrime forums. The campaign appears to have launched on or around April 22–23, 2026, placing it among the freshest active threats in the current landscape.
The awstore.cloud operation fits within a dramatically expanding ecosystem of Claude- and Anthropic-branded attacks that security researchers have tracked since at least February 2026. Across more than 25 documented campaigns, attackers have weaponized Google Ads to redirect developers to trojanized Claude installers deploying PlugX, embedded malicious ClickFix commands inside legitimate Claude.ai artifacts accessed over 15,000 times before takedown, and distributed stealers through fake VS Code extensions and spoofed GitHub releases. What distinguishes awstore.cloud from these contemporaries is its exploitation of the agentic tool-use layer specifically: rather than deceiving the human developer into running something, it deceives the AI agent into running something autonomously. This represents a qualitative escalation in attack sophistication, exploiting the implicit trust relationship between an AI coding assistant and its configured API backend.
The broader implication is a structural security challenge that will intensify as agentic AI tools proliferate across the development ecosystem. Platforms such as Cursor, Cline, and Continue share analogous tool-execution architectures and configurable API endpoints, making them similarly susceptible to the class of attack demonstrated here. The awstore.cloud campaign effectively demonstrates that any system permitting an untrusted API server to issue tool-use instructions to a locally running agent with filesystem and shell access constitutes a significant attack surface. Developers and security teams should treat the `ANTHROPIC_BASE_URL` environment variable — and equivalent configuration parameters in any AI coding tool — as a high-privilege trust boundary equivalent to a code execution endpoint, and organizational policy should restrict its permissible values to verified official providers exclusively.
Read original article →