Fake Claude AI Installers Deliver Malware, Not Anthropic’s Chatbot
Key Takeaways Cybercriminals are leveraging fake Claude AI installers to distribute sophisticated malware, identified as “InstallFix.” The attacks exploit human trust through malicious...
Key Takeaways
- Cybercriminals are leveraging fake Claude AI installers to distribute sophisticated malware, identified as “InstallFix.”
- The attacks exploit human trust through malicious Google Ads, leading users to deceptive installation pages for both Windows and macOS.
- The multi-stage infection chain collects system information, disables security features, establishes persistence, and connects to attacker-controlled servers, showing links to RedLine Stealer campaigns.
- Victims have been identified across the United States, Malaysia, the Netherlands, and Thailand, spanning various sectors including government, education, and electronics.
A new and concerning cybersecurity campaign, dubbed “InstallFix” or the Fake Claude Installer threat, is actively deploying malware by masquerading as legitimate installers for Anthropic’s Claude AI chatbot. This operation represents a tactical shift for cybercriminals, moving away from exploiting software vulnerabilities to targeting human behavior and trust in AI tools.
Table Of Content
Instead of relying on complex exploits, attackers are capitalizing on users’ willingness to follow what appear to be official installation instructions, thereby circumventing traditional security measures.
Deceptive Tactics and Initial Infection Vector
The attackers employ a straightforward yet highly effective method: they establish fraudulent Claude AI installation websites and then utilize paid Google Ads to ensure these deceptive pages rank prominently in search results. When individuals search for terms such as “Claude Code” or “Claude Code install,” a sponsored link, meticulously designed to mimic a trustworthy result, appears at the top.
Clicking this link directs users to a fraudulent site that provides seemingly legitimate, step-by-step installation commands specifically tailored to their operating system, whether Windows or macOS.
Researchers at Trend Micro meticulously documented this campaign, revealing that the malware involved is far from a simple infection. It orchestrates a multi-stage attack sequence that systematically gathers system information, disables critical security features, creates scheduled tasks to ensure persistence across reboots, and establishes communication with attacker-controlled command-and-control (C2) servers for further instructions.
Confirmed incidents have impacted organizations and individuals across diverse regions, including the United States, Malaysia, the Netherlands, and Thailand. The affected sectors range broadly, from government and education to electronics and the food and beverage industry.
How the Fake Installer Attack Works
The inherent danger of this campaign lies in its broad appeal, affecting both technical and non-technical users. Developers, accustomed to command-line interfaces, often copy setup commands directly from documentation without extensive scrutiny. Similarly, less technical users are prone to following official-looking on-screen instructions. The attackers have meticulously crafted these fake pages to closely replicate genuine Claude installation guides, making the deception remarkably difficult to discern.
The threat extends beyond a single download or execution. Once a user runs the malicious command, the infection unfolds through a series of stages, each designed to evade detection and maintain a hidden presence. Trend Micro’s telemetry has confirmed outbound network connections to attacker-controlled infrastructure, with indicators aligning closely with those observed in RedLine Stealer campaigns dating back to 2023.
The attack initiates with a Google Ad placement that intercepts users’ searches for “Claude Code.” The fraudulent landing page employs a technique known as ClickFix, presenting an OS-specific command as an essential installation step. On Windows systems, executing this command triggers a covert chain beginning with mshta.exe, a legitimate Windows utility frequently abused by attackers to execute remote payloads.
The downloaded file, named claude.msixbundle, is disguised as a genuine Microsoft package with valid Marketplace signatures, allowing it to bypass basic security checks. Embedded within this package is an HTA payload that silently executes a VBScript, with the window resized to zero pixels to prevent any visual indication of its activity. This script then launches obfuscated PowerShell commands through the SysWOW64 subsystem, circumventing detection by dynamically reconstructing the word “powershell” at runtime using split variables.
The stager component generates a unique identifier for the victim’s machine by hashing the computer name and username. This hash is then used to construct a custom command-and-control URL for each victim, from which the final payload is fetched from a subdomain on oakenfjrod[.]ru. This personalized C2 URL strategy significantly complicates bulk network-level blocking efforts.
Persistence, Data Theft, and RedLine Stealer Connections
Upon execution of the shellcode in memory, the malware establishes persistence by creating scheduled tasks, ensuring it survives system reboots and continues to operate silently. Dynamic analysis revealed the malware initiating connections to external IP addresses, systematically collecting browser data, and targeting e-wallet applications installed on the compromised machine.
The indicators of compromise (IoCs) associated with this campaign exhibit strong correlations with techniques and infrastructure previously attributed to RedLine Stealer.
What You Should Do
- Block Malicious Domains and IPs: Implement firewall rules to block known malicious domains (e.g.,
download-version[.]1-5-8[.]com,oakenfjrod[.]ru) and IP addresses (e.g.,104[.]21[.]0[.]95,185[.]177[.]239[.]255,77[.]91[.]97[.]244) at the network perimeter. - Utilize DNS Filtering: Employ robust DNS filtering solutions to prevent users from accessing suspicious or newly registered domains often used in phishing and malware campaigns.
- Restrict Legacy Scripting Tools: Where feasible, restrict or disable the use of legacy scripting tools like
mshta.exethat are frequently abused by attackers for payload execution. - User Training and Awareness: Educate users on the dangers of sponsored search results and the importance of verifying download pages against official vendor websites. Emphasize the use of trusted package managers (e.g., npm, pip, brew, winget) over manual scripts from unverified sources.
- Verify Software Sources: Always navigate directly to official vendor websites to download software. Never rely on links from search engine ads for critical software installations.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.