Indicators of compromise - InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise =============================================== Network IOCs =============================================== Domains __________________________________________________ Domain Description Notes download-version[.]1-5-8[.]com Payload host (Stage 2) - Disease vector hosted-by[.]yeezyhost[.]net Resolves to 77[.]91[.]97[.]244 - Disease vector oakenfjrod[.]ru C&C domain (Stage 4) - Disease vector Victim-unique subdomains use a 16-character hex MD5 of COMPUTERNAME+USERNAME as a prefix (for example, .oakenfjrod[.]ru) URLs __________________________________________________ URL Description hxxps://download-version[.]1-5-8[.]com/claude[.]msixbundle Disease vector hxxps://.oakenfjrod[.]ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1 Disease vector IP addresses __________________________________________________ IP address Description Notes 185[.]177[.]239[.]255 Outbound - C&C server 77[.]91[.]97[.]244 C&C attempt over TCP/443; resolves to hosted-by.yeezyhost[.]net Malware accomplice 104[.]21[.]0[.]95 Outbound - Untested This is in Cloudflare's range; may be fronting infrastructure, worth verifying before blocking =============================================== File IOCs =============================================== Hashes __________________________________________________ IoC Description 2b99ade9224add2ce86eb836dcf70040315f6dc95e772ea98f24a30cdf4fdb97 claude.msixbundle (ZIP/HTA polyglot, Stage 2) ec1206989449d30746b5ceb2b297cda9f3f09636a0e122ecafb40b1dc2e86772 (FINAL SHELLCODE) 2f04ba77bb841111036b979fc0dab7fcbae99749718ae1dd6fd348d4495b5f74 cloude-91267b64-989f-49b4-89b4-984e0154d4d1 (Stage 4 fileless payload) File names/Path artifacts __________________________________________________ • claude.msixbundle • cloude-91267b64-989f-49b4-89b4-984e0154d4d1