Back

InstallFix Campaign Exploits AI Trust to Deliver Malware via Fake Install Pages

Severity: High (Score: 69.5)

Sources: Feeds.Trendmicro, Letsdatascience, Trendmicro, blog.eclecticiq.com

Summary

The InstallFix campaign targets users by creating fake installation pages for Anthropic's Claude AI, tricking them into executing malware. This sophisticated social engineering tactic exploits the growing reliance on AI tools, affecting both developers and non-technical users. The malware, primarily the Amatera Stealer, collects sensitive information and establishes persistence on compromised systems. Attackers use Google Ads to promote these malicious pages, which mimic legitimate installation commands. The campaign has been observed impacting users on both Windows and macOS platforms. Security researchers have identified the use of PowerShell and MSHTA to execute malicious commands. The threat landscape is evolving as attackers leverage common developer habits, increasing the risk of infection. Organizations are urged to remain vigilant against these deceptive tactics. Key Points: • The InstallFix campaign uses fake Claude AI installer pages to distribute malware. • Attackers exploit Google Ads to promote malicious pages, targeting both Windows and macOS users. • The primary payload observed is the Amatera Stealer, which exfiltrates sensitive information.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Trojan (attack_type)
  • Campaign Against NATO Aligned Ministries Of Foreign Affairs (campaign)
  • Fake Claude Installer Threat (campaign)
  • German Embassy Lure (campaign)
  • InstallFix (campaign)
  • InstallFix Campaign (campaign)
  • Austria (country)
  • Finland (country)
  • CWE-78 - OS Command Injection (cwe)
  • claude.ai (domain)
  • dnslytics.com (domain)
  • eclecticiq.com (domain)
  • grantallarddata.com (domain)
  • hosted-by.yeezyhost.net (domain)
  • Financial (industry)
  • 13.107.21.200 (ipv4)
  • 77.91.124.251 (ipv4)
  • 77.91.68.141 (ipv4)
  • Amatera Stealer (malware)
  • RedLine Stealer (malware)
  • T1012 - Query Registry (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1057 - Process Discovery (mitre_attack)
  • Brave (platform)
  • Cent (platform)
  • Cloudflare Pages (platform)
  • Coowon (platform)
  • Edge (platform)
  • Chrome (tool)
  • Npm (tool)
  • Windows Management Instrumentation (tool)
  • Cmd.exe (tool)
  • Mshta (tool)
  • 27e778497f153a8939069c654af632f5bf322e6cc4da39555c818f6e67411782 (sha256)
  • bf5677548650d278fad6f14ad8b20e4ad4e6a87cf4fe83a47aa5b367f30a3690 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed