Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads ==================================================================================================================================================== Indicator Description Detection name ==================================================================================================================================================== Files ==================================================================================================================================================== Dropper Payloads 17145a933525ca8a6f29a818cf0fd94c37f20836090791bec349ae6e705670d4 ClaudeCode_x64.exe TrojanSpy.Win64.VIDAR.CLB 52e83c718ca96a12b98c5b31af177204145837f4208b0ee0c8e9c2b454795a64 ClaudeCode_x64.exe TrojanSpy.Win64.VIDAR.CLA 7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a ClaudeCode_x64.exe TrojanSpy.Win64.VIDAR.CLC 80920e8843ead75c58d56f55d351dbff01ccf9f28090e401479f21d651190b41 ClaudeCode_x64.exe TrojanSpy.Win64.VIDAR.CLC 0b6ed577b993fd81e14f9abbef710e881629b8521580f3a127b2184685af7e05 TradeAI.exe TrojanSpy.Win64.VIDAR.CLU 0f69513905b9aeca9ad2659ae16f4363ac03a359abeac9ac05cab70a50f17b65 TradeAI.exe TrojanSpy.Win64.VIDAR.CLG 18467faa4fa10ea30fef2012fbd2c36f31407d0466b4e880dd1b6e1e37c9aff6 TradeAI.exe TrojanSpy.Win64.VIDAR.CLK 249058ce8dc6e74cff9fb84d4d32c82e371265b40d02bb70b7955dceea008139 TradeAI.exe TrojanSpy.Win64.VIDAR.CLD 2a4a8f58ad259bde54e9d37cc4a86563797c99a5dc31a0ae39a92f7807b846b9 TradeAI.exe TrojanSpy.Win64.VIDAR.CLI 30be8190db0627a363927be8b8c8f38f31891fb8958b3691944b69533f6770b3 TradeAI.exe TrojanSpy.Win64.VIDAR.CLT 36c4bb55b7e4c072e0cbc344d85b3530aca8f0237cc4669aecdd4dd8f67ab43a TradeAI.exe TrojanSpy.Win64.VIDAR.CLM 385d00d5dcefa918858e1d2d6623e7d1155f972b694f48944f98fcceb2624211 TradeAI.exe TrojanSpy.Win64.VIDAR.CLQ 44d40a9e59f08252a22939f76c92362c15a1ffab0dd3a4e3414bf4a5adc5d7c4 TradeAI.exe TrojanSpy.Win64.VIDAR.CLO 518ff5fbfa4296abf38dfc342107f70e1491a7460978da6315a75175fb70e2b3 TradeAI.exe TrojanSpy.Win64.VIDAR.CLS 537243230e14fb0f82bee8f51cac2e1d7ae955bb497c78b109972df51690edcf TradeAI.exe TrojanSpy.Win64.VIDAR.CLH 789835888a76eca8cc9e8625004607be99a90ec9f7a4db06c568a69ccb76bd60 TradeAI.exe TrojanSpy.Win64.VIDAR.CLE 8090c3ecad7e4559ead21be02c564d20329e21fe3f449bcd9dbd8734f041aebd TradeAI.exe TrojanSpy.Win64.VIDAR.CLJ 87133e737b2892cebee006068b341012e2c07db1526c08d0a13d0e0cf11d25d1 TradeAI.exe TrojanSpy.Win64.VIDAR.CLN 96db6133e7ca04264ffdf18928c394376323c283a82e8106feec2ac28ee21eeb TradeAI.exe TrojanSpy.Win64.VIDAR.CLL b73bd2e4cb16e9036aa7125587c5b3289e17e62f8831de1f9709896797435b82 TradeAI.exe TrojanSpy.Win64.VIDAR.CLR cce96b39831ce36b9fd1262a7cf4024218dbb3e2c7f1829c261cf79e5c9b50a8 TradeAI.exe TrojanSpy.Win64.VIDAR.CLF f96d80f7702cb1d5a340ab774e759e3357790c131cfac14a018716813dbc54dd TradeAI.exe TrojanSpy.Win64.VIDAR.CLP 40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378 Suspected Rust-based loader for PureLogs Stealer TrojanSpy.Win32.PURELOGS.E a22ddb3083b62dae7f2c8e1e86548fc71b63b7652b556e50704b5c8908740ed5 GhostSocks Trojan.Win32.GHOSTSOCKS.B b4554c85f50c56d550d6c572a864deb0442404ddefe05ff27facb3cbfb90b4d6 Vidar v18.7 TrojanSpy.Win64.VIDAR.YXGDCZ d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846 Information Stealer TROJ.Win32.TRX.XXPE50FFF104 e13d9304f7ebdab13f6cb6fae3dff3a007c87fed59b0e06ebad3ecfebf18b9fd Suspected Atomic MacOS Stealer f03e38e1c39ac52179e43107cf7511b9407edf83c008562250f5f340523b4b51 Vidar Information stealer TrojanSpy.Win64.VIDAR.YXGBLZ Parent Archives 03a0a9948a220b635ba3dbf71e64a5dfcc0a4a4efcce76ff9f3d664faef68a3e seedance_x64.7z TrojanSpy.Win64.VIDAR.CLU 06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf ClaudeCode_x64.7z TrojanSpy.Win64.VIDAR.CLO 192f893bad1b188f6a95b59ce92170dd037bf8a0b9b271557f8add0bea09b1e4 SimpleClaw_x64.7z TrojanSpy.Win64.VIDAR.CLS 1fe8a6df98ac1984daaba257504ba00b2932021ba264a49ff70e797d1a8b83e6 seedance_x64.7z TrojanSpy.Win64.VIDAR.CLU 4183fa32ceee134369924cf1124e7db0fda8d748511b6d3b327ae35e990f54e9 MALWARE_CLAUDECODE.7z TrojanSpy.Win64.VIDAR.CLG 4adb51eb159b99cba7dc3749325348836827f43cedc45672df16c408d864f28c iRemovalPro_x64.7z TrojanSpy.Win64.VIDAR.CLU 4c1577d5fb6e36ad863ac0168a82bb40db707d5427a16bc5510ce7d8f17a54b0 bbg_free_x64.7z TrojanSpy.Win64.VIDAR.CLT 54d69b135e557bebf9bb6c837544d057194d53b695aa9c73013196501894df3b voicemod_x64.7z TrojanSpy.Win64.VIDAR.CLF 65953a2916844c386fea0b3399618e1b1d5ee8d0cc7d5a1de0ac7e35ea02b90d CopilotCowork_x64.7z TrojanSpy.Win64.VIDAR.CLN 6c446cd445e76874c2606b5cb355e033a61514f8ea0fe94f0c0c31ee702ea8f2 Z_image.7z TrojanSpy.Win64.VIDAR.CLC 7b072c13bae667ee4a077b48e3572468672b8593fb9b7adcf93230daf2c69e87 SoraRemover_x64.7z TrojanSpy.Win64.VIDAR.CLU 802355ad0d78f9a33ac7cee8f3b2bd09a0c0258bddfab502ed284e4a1b0b97ea NemoClaw_x64.7z TrojanSpy.Win64.VIDAR.CLM 80d6b8d37d86543ff72614f63a6dab5828e4dd54a1af5836c157bde764f5a865 OrcaSlicer_x64.7z TrojanSpy.Win64.VIDAR.CLN 81abcdbad6597af9edd4c1b5de6af94f288609a4238033e8c7d703ca4fe5118e opus-4-6-x64.7z TrojanSpy.Win64.VIDAR.CLG 839ec43959d298599c05bb20003487a76ceefed9fb0bdfae780f14009d5cd47d KawaiiGPT_x64.7z TrojanSpy.Win64.VIDAR.CLD 8595715812ca39aefe2eba284aee8036463c35b594e528f9372386c1db7ad813 WormGPT_x64.7z TrojanSpy.Win64.VIDAR.CLD 879430b25ffdc2ff52e083bace983e6915c2c74e0825c6e52d2c7436ab8d64a9 perplexity_computer_x64.7z TrojanSpy.Win64.VIDAR.CLP 905f5697b42d00081c7f564631506f891fea3babc639655df9a3979c983abe00 iRemovalPro_x64.7z TrojanSpy.Win64.VIDAR.CLO 92ea932a9fde49bffe94442c956df51d5e24b790dce0987413dcfd2bd6533006 opus-4-6-x64.7z TrojanSpy.Win64.VIDAR.CLM 96384813d1fa06eb4cf98b0ae4c91817d540014dc7b2be645c6c43acec0f8e53 OpenClaw_x64.7z TrojanSpy.Win64.VIDAR.CLE 9644f44d3f7d25bc91c74d52c76ef48e2a74e5e0c07d78892f708266129e7dcc voicemod_x64.zip TrojanSpy.Win64.VIDAR.CLF 9b8ce5fb1572d76340886e04d0e8d3318ef01ffe55d6efa5e8fb5c4ae4980b3c bbg_free_x64.7z TrojanSpy.Win64.VIDAR.CLT a181785b9f4e5b7186bf70aa23c8cabd5cc853d023c9a16225de882a7a1a737d claude-cowork-win-x64.7z TrojanSpy.Win64.VIDAR.CLF a803e68ba6c00cd435d2f8c13087d778552f13ebc3354dc91b4638efdf1d03b0 ClaudeCode_x64.7z TrojanSpy.Win64.VIDAR.CLA a91db63f47be1a86e7b67eb9245ec673bd916c136614d1bbe3ad224fd2e56e81 ClaudeCode_x64.7z TrojanSpy.Win64.VIDAR.CLG aa5823a9338dddc56ed8512605e5c25b2b1c030f8fcc27594604e3c3611412c5 hyperliquid-bot_x64.7z TrojanSpy.Win64.VIDAR.CLG afa34c71a45f21d599c0bd90ac9026f68727aab0019c3b378956401475180c9c ClaudeCode_x64.7z TrojanSpy.Win64.VIDAR.CLB b285d84ac95b277fd9518a25793536f17a053f18ec4bf4b7bd0143c0eec6c1b4 LTX-2.3_x64.7z TrojanSpy.Win64.VIDAR.CLM bebfe4ad683680d4fc433fa8d418e9bbd8e5c3468e5c4a6827a7eaab81f19a5f clawdbot_x64.7z TrojanSpy.Win64.VIDAR.CLL bef345a58bead10b9b556a64788a4ee948e86403af142223659f7add09ec6779 YouTube_Downloader_x64.7z TrojanSpy.Win64.VIDAR.CLU c9486f3249f9fd37073142bea47debb9aa11a4de5cfeb12078a59749a5a12407 Z_image_x64.7z TrojanSpy.Win64.VIDAR.CLG e29ad19eb8558def511aeb450287b80bbf92a2ff5d92401df200863ce25631db nanobot_x64.7z TrojanSpy.Win64.VIDAR.CLE ==================================================================================================================================================== URLs ==================================================================================================================================================== C&C servers 147[.]45[.]197[.]92:443 GhostSocks C&C server 94[.]228[.]161[.]88:443 GhostSocks C&C server hxxps[://]pastebin[.]com/raw/mcwWi1Ue Primary driver list URL hxxps[://]rti[.]cargomanbd[.]com Vidar C&C server hxxps[://]snippet[.]host/efguhk/raw Backup driver list URL hxxps[://]socifiapp[.]com/api/reports/upload Data exfiltration location hxxps[://]steamcommunity[.]com/profiles/76561198721263282 Vidar dead drop resolver hxxps[://]steamcommunity[.]com/profiles/76561198742377525 Steam profile used to resolve Vidar C&C address hxxps[://]telegram[.]me/dikkh0k Telegram channel used to resolve Vidar C&C address hxxps[://]telegram[.]me/g1n3sss Vidar dead drop resolver serverconect[.]cc C&C domain for suspected PureLogs Stealer 185[.]196[.]9[.]98 GhostSocks helper C&C address over HTTPS on port 443 121[.]127[.]33[.]212 GhostSocks helper C&C address over HTTPS on port 443 144[.]31[.]123[.]157 GhostSocks helper C&C address over HTTPS on port 443 144[.]31[.]139[.]201 GhostSocks helper C&C address over HTTPS on port 443 144[.]31[.]139[.]203 GhostSocks helper C&C address over HTTPS on port 443 144[.]31[.]204[.]136 GhostSocks helper C&C address over HTTPS on port 443 144[.]31[.]204[.]145 GhostSocks helper C&C address over HTTPS on port 443 147[.]45[.]197[.]92 GhostSocks helper C&C address over HTTPS on port 443 172[.]245[.]112[.]202 GhostSocks helper C&C address over HTTPS on port 443 193[.]143[.]1[.]155 GhostSocks helper C&C address over HTTPS on port 443 193[.]143[.]1[.]160 GhostSocks helper C&C address over HTTPS on port 443 193[.]23[.]211[.]29 GhostSocks helper C&C address over HTTPS on port 443 194[.]28[.]225[.]230 GhostSocks helper C&C address over HTTPS on port 443 206[.]245[.]157[.]177 GhostSocks helper C&C address over HTTPS on port 443 64[.]188[.]70[.]194 GhostSocks helper C&C address over HTTPS on port 443 77[.]239[.]120[.]249 GhostSocks helper C&C address over HTTPS on port 443 77[.]239[.]121[.]3 GhostSocks helper C&C address over HTTPS on port 443 84[.]201[.]4[.]120 GhostSocks helper C&C address over HTTPS on port 443 87[.]251[.]87[.]137 GhostSocks helper C&C address over HTTPS on port 443 93[.]185[.]159[.]90 GhostSocks helper C&C address over HTTPS on port 443 94[.]228[.]161[.]88 GhostSocks helper C&C address over HTTPS on port 443 Distribution URLs github[.]com/Kawaii-GPT-ai/KawaiiGPT KawaiiGPT github[.]com/LTX-desktop/LTX-2.3 LTX Video github[.]com/OtisChin/open-claude-code OpenClaudeC github[.]com/ai-wormGPT/wormGPT WormGPT github[.]com/claude-ai-opus-4-6/claude-opus-4.6 Claude Opus github[.]com/idbzoomh1 Trojanized repository publisher github[.]com/leaked-claude-code/leaked-claude-code Claude Code github[.]com/my3jie/leaked-claude-code Claude Code github[.]com/nvidia-nemoclaw/NemoClaw NemoClaw github[.]com/realtime-voice-changer-app/realtime-voice-changer Voicemod