top of page
Search

Mustang Panda's New Bait: Fake Claude Installers. 22 Seconds to PlugX C2.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 8 minutes ago
  • 5 min read

Mustang Panda has a new target. It isn't Mongolian NGOs anymore. It's you — the developer searching for "claude install" at 11pm on a Wednesday.


82 Claude-themed indicators are sitting in our IOC index. 29 of them landed in the last 30 days. Six different malware families are using the Anthropic brand as bait — IClickFix, ClearFake, SmartLoader, Unknown Stealer, and two unlabeled droppers. Malwarebytes did the primary sandbox work on April 13 — a fake Claude Pro installer ZIP using DLL sideloading through a legitimate G DATA updater, dropping PlugX via an XOR-encrypted payload. The beacon landed at 8.217.190.58 (Alibaba Cloud, China, port 443) within 22 seconds of execution. PlugX. Mustang Panda. We ingested their finding the same day and cross-correlated it against our index — the C2 sits in the same /16 as four other Chinese C2s we were already watching. That correlation is ours. The detonation and the attribution are Malwarebytes'. Credit where it's owed.


The adversary card for Mustang Panda describes them as "targeting nongovernmental organizations using Mongolian-themed lures for espionage purposes." That was the CrowdStrike profile from April 2017. Nine years later the lures have changed. The target has changed. The C2 infrastructure sits in the same Chinese IP blocks.


Here is what they are actually running right now.


April 17, 2026 — install-claude.com (IClickFix C2, 90% confidence). github.com/XianLeeX/claude-api/raw/... serving SmartLoader.


April 15, 2026 — github.com/wsbs20/claude-code-aso-skill and github.com/yomyoms/claude-proxy-flask, both dropping SmartLoader zips.


April 14, 2026 — claude-install.com, claudecode-download.co.com, claude.gr.com, claudecode.gr.com. All IClickFix.


April 13, 2026 — claude-app-new.gitlab.io, claude-code-app.gitlab.io, claudeapp.gitlab.io. ClearFake C2s on GitLab Pages.


April 12, 2026 — claudepage.pages.dev. Cloudflare Pages hosting an Unknown Stealer C2.


April 9, 2026 — download-version.1-5-8.com/claude.msixbundle. A fake MSIX installer.


April 7, 2026 — claude-desktop-app.bitbucket.io. Atlassian's turn.


April 6, 2026 — claude-docs.com, claude-code-info.pages.dev, claude-code-main.pages.dev. Unknown Stealer family.


Every major free hosting platform that developers trust is in the list. Cloudflare Pages. GitLab Pages. Bitbucket Cloud. GitHub raw. Plus a fistful of registered lookalike domains using .com, .co.com, and .gr.com TLDs. The pattern isn't sloppy one-off phishing. It is a campaign with at least six different malware payloads fanned out across six different hosting providers, continuously spawning new subdomains. We are watching a factory, not a hobbyist.


The PlugX beacon is the thing that matters. PlugX is a remote-access tool Mustang Panda has been running for a decade. It does keylogging, file exfiltration, C2 tunneling, lateral movement. If you download one of the above installers on your work laptop, PlugX lands before your loading spinner finishes. By the time your coffee is done brewing, your company's Active Directory is on a slow plane to Beijing.


The grim symmetry: we use Claude every day. We ship it into our platform, we correlate with it, we trust it. The attackers noticed. They took the trust relationship and weaponized it. A fake Claude installer is perfect bait for exactly the demographic Mustang Panda wants to exfiltrate — AI engineers, security researchers, developers at defense contractors, cleared IT staff at Fortune 500s. Every one of those people has typed "claude install" into a search bar this month. Every one of them is a potential pivot into something bigger.


We pay attention to this because we are the demographic. We search Claude-themed domains in our feed not because a vendor blog told us to, but because when something looks like it impersonates our tooling we check. Malwarebytes did the forensic work that named Mustang Panda. The bloom filter novelty score in our own pipeline flagged install-claude.com the day it appeared in URLhaus. The cross-index correlation linked the Malwarebytes C2 to four Chinese neighbor C2s in a single query. That is the signature move: one indicator in, the entire adjacent infrastructure out. It does not replace the primary research. It multiplies it.


Here is what to do tonight.


If you run DNS filtering on a corporate network, block the 29 domains listed above at the resolver. They are all in our STIX feed at analytics.dugganusa.com/api/v1/stix-feed and in our domain CSV at analytics.dugganusa.com/api/v1/stix-feed/domains.csv. Pull the feed every 6 hours — we publish new IOCs continuously as the campaign rotates.


If you are a developer, install Claude Code from one place and one place only: claude.com or claude.ai. If the install instructions landed in a GitHub or GitLab repo you do not recognize, walk away. If the domain name has "install" or "download" in it and ends in anything other than .com pointing at Anthropic, walk away. The legitimate installer is a one-line command on Anthropic's official site. Everything else is a test of whether you're paying attention.


If you are a security team at a company that has been lax about AI tool governance, this is your wake-up call. AI tooling is now a first-class initial access vector. Not through the models themselves. Through the delivery chain — fake installers, fake documentation sites, poisoned OAuth apps, typosquatted npm packages. We wrote about the Vercel / Context.ai OAuth pivot three days ago. This is the companion attack, running in parallel, using the same playbook: if you cannot break the tool, break the install path.


Mustang Panda used to phish NGOs by emailing them PDFs about Mongolian elections. They noticed those targets got old. They noticed the real money is sitting on the laptops of the people building Western AI infrastructure. So they pivoted. The Mongolian PDFs are retired. The fake Claude installers are the new thing. Malwarebytes named the pivot on April 13. Our feed captured it the same day and built the cluster view. We don't know who got hit between April 6 and today. If you are a CISO reading this and a developer on your team downloaded something Claude-branded from anywhere other than Anthropic in the last six weeks, assume PlugX is on the box.


95% of the time, paranoia about this stuff is wrong and everything works out fine. The other 5% is how APTs stay in business. That is the honest number. That is the margin Mustang Panda lives in.


We do not guarantee we have every Claude-themed IOC on earth. What we have is the ones that landed in our feed, the ones our sandbox executed, and the one case where the PlugX C2 connected back to a Chinese IP block we have been tracking for two years. That is enough to publish. That is enough to block. That is enough to tell you the beast is slouching in a new direction.


The mission was never to process threats. The mission was to give a shit about the outcome. Mustang Panda gave us a fresh one to give a shit about.


Primary research: Malwarebytes blog team (ThreatDown), April 13 write-up on the Mustang Panda / fake Claude installer DLL sideloading chain. Supporting IOC feeds: abuse.ch URLhaus and SSL Blacklist (the majority of the domain-level indicators above). Our add: aggregation, cross-index correlation, campaign-scope framing.


STIX feed: analytics.dugganusa.com/api/v1/stix-feed Domains CSV: analytics.dugganusa.com/api/v1/stix-feed/domains.csv Pricing: analytics.dugganusa.com/stix/pricing




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page