InstallFix Campaign Exploits AI Trust to Deliver Malware via Fake Install Pages

InstallFix Campaign Exploits AI Trust to Deliver Malware via Fake Install Pages

First seen 5 May 2026, 21:26 UTC Feeds.TrendmicroTrendmicroblog.eclecticiq.comLetsdatascienceBleepingcomputer+21 85% similarity 69.5

Article Content

Browse articles
ThreatCluster

The InstallFix campaign targets users by creating fake installation pages for Anthropic's Claude AI, tricking them into executing malware. This sophisticated social engineering tactic exploits the growing reliance on AI tools, affecting both developers and non-technical users. The malware, primarily the Amatera Stealer, collects sensitive information and establishes persistence on compromised systems. Attackers use Google Ads to promote these malicious pages, which mimic legitimate installation commands. The campaign has been observed impacting users on both Windows and macOS platforms. Security researchers have identified the use of PowerShell and MSHTA to execute malicious commands. The threat landscape is evolving as attackers leverage common developer habits, increasing the risk of infection. Organizations are urged to remain vigilant against these deceptive tactics.

Key Points: • The InstallFix campaign uses fake Claude AI installer pages to distribute malware. • Attackers exploit Google Ads to promote malicious pages, targeting both Windows and macOS users. • The primary payload observed is the Amatera Stealer, which exfiltrates sensitive information.

ThreatCluster AI

Timeline

2026-05-05
InstallFix campaign identified
Trend Micro reported on the InstallFix campaign using fake Claude AI pages to deliver malware via Google Ads.
Trendmicro
2026-05-05
Malware payload identified
Researchers confirmed that the Amatera Stealer is the primary payload used in the InstallFix campaign.
Letsdatascience
2026-05-05
Malicious command execution method detailed
The campaign uses PowerShell and MSHTA to execute commands that install the malware on compromised systems.
Trendmicro

Community

Browse all →