{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/initial_access/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["malware","google_ads","initial_access","windows","macos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA malware campaign is underway, leveraging deceptive advertisements on Google that masquerade as legitimate \u0026lsquo;Claude Code\u0026rsquo; software. The attackers are using these ads to direct unsuspecting users to malicious websites hosting malware payloads for both Windows and macOS systems. While specific details on the malware are limited, the campaign\u0026rsquo;s reliance on search engine advertisement poisoning indicates a broad targeting strategy aimed at users actively seeking \u0026lsquo;Claude Code\u0026rsquo; related software or tools. This campaign highlights the increasing sophistication of threat actors in using search engine optimization (SEO) poisoning techniques to distribute malware. Defenders should be aware of the potential for users to be directed to malicious sites through search results.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates malicious advertisements on Google that mimic legitimate \u0026lsquo;Claude Code\u0026rsquo; software or related tools.\u003c/li\u003e\n\u003cli\u003eUsers searching for \u0026lsquo;Claude Code\u0026rsquo; or related terms encounter the malicious advertisements in their search results.\u003c/li\u003e\n\u003cli\u003eUnsuspecting users click on the malicious advertisement, believing it to be a legitimate source for \u0026lsquo;Claude Code\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe advertisement redirects the user to a malicious website controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious website hosts malware payloads tailored for both Windows and macOS operating systems.\u003c/li\u003e\n\u003cli\u003eUpon visiting the site, the user is tricked into downloading and executing the malware, potentially through social engineering or drive-by download techniques.\u003c/li\u003e\n\u003cli\u003eThe malware executes on the victim\u0026rsquo;s system, establishing persistence and potentially disabling security controls.\u003c/li\u003e\n\u003cli\u003eThe malware performs its intended malicious activities, such as data theft, credential harvesting, or further malware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this campaign could be widespread, affecting both individual users and organizations who rely on \u0026lsquo;Claude Code\u0026rsquo;. Successful infection can lead to data theft, financial loss, and reputational damage. Given the use of Google Ads, the number of potential victims is substantial. The cross-platform nature of the attack further amplifies the risk, as it targets a broader range of users regardless of their operating system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement browser security extensions and ad blockers to reduce the likelihood of users clicking on malicious advertisements.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of clicking on advertisements in search results and encourage them to verify the legitimacy of websites before downloading software.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to newly registered domains or known malicious IP addresses associated with malware distribution.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions to detect and prevent malware execution on both Windows and macOS systems.\u003c/li\u003e\n\u003cli\u003eEnable and review web proxy logs for user visits to suspicious domains.\u003c/li\u003e\n\u003cli\u003eConfigure intrusion detection systems (IDS) to identify and block malicious traffic originating from advertisement networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T15:31:12Z","date_published":"2026-03-15T15:31:12Z","id":"/briefs/2024-01-03-fake-claude-ads/","summary":"Malware is distributed via malicious advertisements on Google impersonating 'Claude Code', targeting both Windows and macOS operating systems with the goal of infecting users.","title":"Malware Spreading Through Fake 'Claude Code' Google Ads","url":"https://feed.craftedsignal.io/briefs/2024-01-03-fake-claude-ads/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Sysmon"],"_cs_severities":["medium"],"_cs_tags":["windows","wmi","script_execution","initial_access","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the use of Windows script interpreters (cscript.exe or wscript.exe) to execute processes via Windows Management Instrumentation (WMI). Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters. The rule monitors for these interpreters executing processes via WMI, specifically when initiated by non-system accounts, indicating potential malicious intent. The detection focuses on identifying scenarios where \u003ccode\u003ewmiutils.dll\u003c/code\u003e is loaded by \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e, followed by \u003ccode\u003ewmiprvse.exe\u003c/code\u003e spawning a new process. This is often associated with malicious initial access or execution techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via phishing (T1566) or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a script, such as VBScript or JavaScript (T1059.005, T1059.007), to execute commands using WMI.\u003c/li\u003e\n\u003cli\u003eThe script interpreter (\u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e) loads \u003ccode\u003ewmiutils.dll\u003c/code\u003e to interact with WMI.\u003c/li\u003e\n\u003cli\u003eThe WMI Provider Host process (\u003ccode\u003ewmiprvse.exe\u003c/code\u003e) is invoked as a parent process, triggered by the script execution.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewmiprvse.exe\u003c/code\u003e executes a secondary process, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, or other executables, often from unusual locations like \u003ccode\u003eC:\\\\Users\\\\\u003c/code\u003e or \u003ccode\u003eC:\\\\ProgramData\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed process performs malicious actions, such as downloading additional payloads or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often lateral movement, data exfiltration, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code, bypass security controls, and establish persistence on the compromised system. The use of WMI enables stealthy execution, making detection challenging. The impact can range from data theft and system compromise to full network takeover. In some cases, threat actors may deploy ransomware, leading to significant financial losses and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 7 (Image Loaded) logging to provide the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;WMI Scripting Process Creation\u0026rdquo; to detect suspicious process creation events originating from \u003ccode\u003ewmiprvse.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided Sigma rule \u0026ldquo;WMI Scripting Process Creation\u0026rdquo; with a focus on processes spawned by wmiprvse.exe from unusual locations or with suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eImplement endpoint protection policies to block or alert on the execution of high-risk processes when initiated by non-system accounts as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eRegularly review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-script-execution/","summary":"The rule identifies the use of Windows script interpreters (cscript.exe or wscript.exe) executing a process via Windows Management Instrumentation (WMI), which may indicate malicious activity, especially when initiated by non-system accounts.","title":"Windows Script Interpreter Executing Process via WMI","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-script-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Initial_access","version":"https://jsonfeed.org/version/1.1"}