InstallFix malvertising campaign spreads fake Claude Code installers to deliver Amatera Stealer
Push Security reported a new ClickFix-style social-engineering campaign dubbed InstallFix that uses Google-sponsored search ads to drive developers to near-identical cloned “install” pages for Anthropic Claude Code and similar AI coding tools. Victims are prompted to copy/paste terminal commands from the fake pages; executing them installs Amatera Stealer, enabling credential theft and potential access to enterprise development environments.
Separate reporting highlighted adjacent browser-based tradecraft: a previously legitimate Chrome extension (QuickLens – Search Screen with Google Lens) with roughly 7,000 users was updated to deploy ClickFix attacks, strip web security headers, and steal cryptocurrency wallet seed phrases before being removed from the Chrome Web Store. A weekly threat bulletin also noted unrelated incidents (e.g., ransomware and data breaches) and separate AI-themed malicious extensions that harvest LLM chat histories, but those items are not part of the InstallFix/Claude Code malvertising campaign itself.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Push Security discloses InstallFix campaign details
Push Security publicly reported the InstallFix campaign, describing its use of near-identical fake Claude Code pages and legitimate hosting or fronting services such as Cloudflare Pages, Tencent EdgeOne, and Squarespace to evade suspicion. The report also warned that traditional IoCs have limited value because the attackers rapidly rotate domains.
InstallFix malvertising campaign targets Claude Code seekers
Attackers launched a ClickFix-style social engineering campaign dubbed "InstallFix" that used Google-sponsored search ads to lure users searching for Anthropic's Claude Code and similar AI coding tools to cloned installation sites. The fake pages presented malicious copy-paste terminal commands that installed Amatera Stealer, enabling theft of developer credentials and potential access to enterprise development environments.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Campaign Abuses Claude Artifacts and Google Ads to Deliver macOS Infostealers
Threat actors are running a **ClickFix**-style social-engineering campaign that abuses **Google sponsored search results** to funnel macOS users to malicious content hosted on legitimate platforms, including **Anthropic Claude public artifacts** (`claude.ai`) and **Medium** pages impersonating trusted sources (e.g., Apple Support). The lures target common search queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew,” then instruct victims to paste and run Terminal commands that decode/execute payloads (e.g., `echo "..." | base64 -D | zsh` or `curl ... | zsh`). Researchers (Moonlock Lab/MacPaw and AdGuard) reported that the malicious Claude artifact accumulated **~12,300 to 15,600 views**, indicating significant exposure (reported as **10,000+** and **15,000+** potential victims across coverage). The payloads deliver macOS information-stealing malware, including **MacSync**, which collects data such as **Keychain credentials, browser data, and cryptocurrency wallet files**. Reported tradecraft includes downloading and executing a shell script, using an AppleScript component for theft, staging stolen data into `/tmp/osalogging.zip`, and exfiltrating via HTTP POST to attacker infrastructure (e.g., `a2abotnet[.]com/gate`, with C2 paths like `a2abotnet[.]com/dynamic`). The malware attempts to blend in by spoofing legitimate macOS browser User-Agent strings and includes retry logic for large/chunked uploads, then removes staging artifacts to reduce forensic traces.
May 17, 2026
ClickFix Social-Engineering Technique Used to Trick Users Into Running Malware
Multiple reports highlighted **ClickFix**, a social-engineering technique that uses fake verification or update prompts to coerce users into manually executing attacker-supplied commands, as a recurring initial access method in recent malware activity. In the **OCRFix** botnet campaign, victims were lured to a typosquatted site impersonating *Tesseract OCR* (`tesseract-ocr[.]com` lookalike) via SEO poisoning and reported **LLM poisoning** (chatbot recommendations pointing users to the malicious site). The site presented a fake CAPTCHA that copied an obfuscated PowerShell command to the clipboard and instructed the user to paste it into PowerShell; this led to retrieval of a malicious MSI (`98166e51.msi`) from `opsecdefcloud[.]com`, after which victims were redirected to the legitimate GitHub project to reduce suspicion. The loader then queried a **BNB TestNet** smart contract to obtain C2 details, using **EtherHiding** (blockchain-hosted instructions) to make takedown and disruption more difficult. A separate investigation described a **Chrome extension supply-chain compromise** of *QuickLens – Search Screen with Google Lens* (7,000+ users), where attackers acquired the extension and shipped an update embedding malicious scripts and elevated permissions to enable credential/crypto theft and staged payload delivery; the campaign also incorporated a **ClickFix** flow that masqueraded as a legitimate browser update to trick users into executing malicious code. Other items in the set covered different topics: an AiTM phishing-kit attribution case study (focused on reverse-proxy phishing infrastructure rather than ClickFix), research on **Funnull/Fangneng CDN** as cybercrime-enabling infrastructure and related supply-chain activity, and Zscaler reporting on **Dust Specter APT** targeting Iraqi government officials with password-protected RAR delivery and custom malware modules—none of which were primarily about ClickFix.
Mar 21, 2026
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
Apr 1, 2026