Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Critical Cursor RCE: CVE-2024-XXXXX lets Git repos auto-execute code
July 15, 2026
Home/CyberSecurity News/Fake Claude AI Installers Deliver Malware, Not Anthropic’s Chatbot
CyberSecurity News

Fake Claude AI Installers Deliver Malware, Not Anthropic’s Chatbot

Key Takeaways Cybercriminals are leveraging fake Claude AI installers to distribute sophisticated malware, identified as “InstallFix.” The attacks exploit human trust through malicious...

David kimber
David kimber
May 7, 2026 4 Min Read
70 0

Key Takeaways

  • Cybercriminals are leveraging fake Claude AI installers to distribute sophisticated malware, identified as “InstallFix.”
  • The attacks exploit human trust through malicious Google Ads, leading users to deceptive installation pages for both Windows and macOS.
  • The multi-stage infection chain collects system information, disables security features, establishes persistence, and connects to attacker-controlled servers, showing links to RedLine Stealer campaigns.
  • Victims have been identified across the United States, Malaysia, the Netherlands, and Thailand, spanning various sectors including government, education, and electronics.

A new and concerning cybersecurity campaign, dubbed “InstallFix” or the Fake Claude Installer threat, is actively deploying malware by masquerading as legitimate installers for Anthropic’s Claude AI chatbot. This operation represents a tactical shift for cybercriminals, moving away from exploiting software vulnerabilities to targeting human behavior and trust in AI tools.

Table Of Content

  • Key Takeaways
  • Deceptive Tactics and Initial Infection Vector
  • How the Fake Installer Attack Works
  • Persistence, Data Theft, and RedLine Stealer Connections
  • What You Should Do

Instead of relying on complex exploits, attackers are capitalizing on users’ willingness to follow what appear to be official installation instructions, thereby circumventing traditional security measures.

Deceptive Tactics and Initial Infection Vector

The attackers employ a straightforward yet highly effective method: they establish fraudulent Claude AI installation websites and then utilize paid Google Ads to ensure these deceptive pages rank prominently in search results. When individuals search for terms such as “Claude Code” or “Claude Code install,” a sponsored link, meticulously designed to mimic a trustworthy result, appears at the top.

Clicking this link directs users to a fraudulent site that provides seemingly legitimate, step-by-step installation commands specifically tailored to their operating system, whether Windows or macOS.

Researchers at Trend Micro meticulously documented this campaign, revealing that the malware involved is far from a simple infection. It orchestrates a multi-stage attack sequence that systematically gathers system information, disables critical security features, creates scheduled tasks to ensure persistence across reboots, and establishes communication with attacker-controlled command-and-control (C2) servers for further instructions.

Confirmed incidents have impacted organizations and individuals across diverse regions, including the United States, Malaysia, the Netherlands, and Thailand. The affected sectors range broadly, from government and education to electronics and the food and beverage industry.

How the Fake Installer Attack Works

The inherent danger of this campaign lies in its broad appeal, affecting both technical and non-technical users. Developers, accustomed to command-line interfaces, often copy setup commands directly from documentation without extensive scrutiny. Similarly, less technical users are prone to following official-looking on-screen instructions. The attackers have meticulously crafted these fake pages to closely replicate genuine Claude installation guides, making the deception remarkably difficult to discern.

The threat extends beyond a single download or execution. Once a user runs the malicious command, the infection unfolds through a series of stages, each designed to evade detection and maintain a hidden presence. Trend Micro’s telemetry has confirmed outbound network connections to attacker-controlled infrastructure, with indicators aligning closely with those observed in RedLine Stealer campaigns dating back to 2023.

The attack initiates with a Google Ad placement that intercepts users’ searches for “Claude Code.” The fraudulent landing page employs a technique known as ClickFix, presenting an OS-specific command as an essential installation step. On Windows systems, executing this command triggers a covert chain beginning with mshta.exe, a legitimate Windows utility frequently abused by attackers to execute remote payloads.

The downloaded file, named claude.msixbundle, is disguised as a genuine Microsoft package with valid Marketplace signatures, allowing it to bypass basic security checks. Embedded within this package is an HTA payload that silently executes a VBScript, with the window resized to zero pixels to prevent any visual indication of its activity. This script then launches obfuscated PowerShell commands through the SysWOW64 subsystem, circumventing detection by dynamically reconstructing the word “powershell” at runtime using split variables.

The stager component generates a unique identifier for the victim’s machine by hashing the computer name and username. This hash is then used to construct a custom command-and-control URL for each victim, from which the final payload is fetched from a subdomain on oakenfjrod[.]ru. This personalized C2 URL strategy significantly complicates bulk network-level blocking efforts.

Persistence, Data Theft, and RedLine Stealer Connections

Upon execution of the shellcode in memory, the malware establishes persistence by creating scheduled tasks, ensuring it survives system reboots and continues to operate silently. Dynamic analysis revealed the malware initiating connections to external IP addresses, systematically collecting browser data, and targeting e-wallet applications installed on the compromised machine.

The indicators of compromise (IoCs) associated with this campaign exhibit strong correlations with techniques and infrastructure previously attributed to RedLine Stealer.

What You Should Do

  • Block Malicious Domains and IPs: Implement firewall rules to block known malicious domains (e.g., download-version[.]1-5-8[.]com, oakenfjrod[.]ru) and IP addresses (e.g., 104[.]21[.]0[.]95, 185[.]177[.]239[.]255, 77[.]91[.]97[.]244) at the network perimeter.
  • Utilize DNS Filtering: Employ robust DNS filtering solutions to prevent users from accessing suspicious or newly registered domains often used in phishing and malware campaigns.
  • Restrict Legacy Scripting Tools: Where feasible, restrict or disable the use of legacy scripting tools like mshta.exe that are frequently abused by attackers for payload execution.
  • User Training and Awareness: Educate users on the dangers of sponsored search results and the importance of verifying download pages against official vendor websites. Emphasize the use of trusted package managers (e.g., npm, pip, brew, winget) over manual scripts from unverified sources.
  • Verify Software Sources: Always navigate directly to official vendor websites to download software. Never rely on links from search engine ads for critical software installations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

UAT-8302 Threat Group Steals Government Data With Custom Malware

Next Post

CISA Warns of Critical Palo Alto PAN-OS Vulnerability Exploited for Root Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
FaceTime Call Impersonation Fraud Hijacks Bank Accounts
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us