Back

InstallFix Campaign Exploits Fake Claude AI Install Pages for Malware Delivery

Severity: High (Score: 69.5)

Sources: blog.eclecticiq.com, Letsdatascience, Trendmicro, Feeds.Trendmicro

Summary

The InstallFix campaign targets multiple industries globally by using fake installation pages for Anthropic's Claude AI to distribute malware. This social engineering tactic exploits the trust in AI tools, tricking users into executing malicious commands that collect sensitive system information and connect to attacker-controlled servers. The campaign primarily spreads through Google Ads, leading users to fraudulent sites that appear legitimate. Both Windows and macOS users are affected, with the malware capable of disabling security features and achieving persistence. The primary payload identified includes the Amatera Stealer, which exfiltrates sensitive credentials. Researchers have noted that the campaign leverages common developer habits, such as copying one-liner installation commands, to bypass security measures. The threat landscape is further complicated by the use of legitimate hosting platforms to serve malicious content. Current telemetry indicates ongoing activity, emphasizing the need for heightened awareness and protective measures. Key Points: • InstallFix campaign uses fake Claude AI install pages to distribute malware. • Targets both Windows and macOS users, exploiting trust in AI tools. • Primary payload includes Amatera Stealer, exfiltrating sensitive credentials.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Trojan (attack_type)
  • Campaign Against NATO Aligned Ministries Of Foreign Affairs (campaign)
  • Fake Claude Installer Threat (campaign)
  • German Embassy Lure (campaign)
  • InstallFix (campaign)
  • InstallFix Campaign (campaign)
  • Austria (country)
  • Finland (country)
  • CWE-78 - OS Command Injection (cwe)
  • claude.ai (domain)
  • dnslytics.com (domain)
  • eclecticiq.com (domain)
  • grantallarddata.com (domain)
  • hosted-by.yeezyhost.net (domain)
  • Financial (industry)
  • 13.107.21.200 (ipv4)
  • 77.91.124.251 (ipv4)
  • 77.91.68.141 (ipv4)
  • Amatera Stealer (malware)
  • RedLine Stealer (malware)
  • T1012 - Query Registry (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1057 - Process Discovery (mitre_attack)
  • Brave (platform)
  • Cent (platform)
  • Cloudflare Pages (platform)
  • Coowon (platform)
  • Edge (platform)
  • Chrome (tool)
  • Npm (tool)
  • Windows Management Instrumentation (tool)
  • Cmd.exe (tool)
  • Mshta (tool)
  • 27e778497f153a8939069c654af632f5bf322e6cc4da39555c818f6e67411782 (sha256)
  • bf5677548650d278fad6f14ad8b20e4ad4e6a87cf4fe83a47aa5b367f30a3690 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed