The InstallFix campaign leverages malvertising to distribute fake Claude AI installation pages, tricking users into executing malicious MSHTA commands. This initiates a multi-stage, fileless infection chain utilizing a ZIP/HTA polyglot, COM object abuse, and AMSI/SSL bypasses to deliver a payload associated with RedLine Stealer. The campaign demonstrates advanced evasion tactics, including the use of victim-unique C2 subdomains derived from machine fingerprints.