Fake Claude AI Installer Campaign Delivers Malware via Google Ads

May 7, 2026 Faeem BLOGS 0

Overview Cybercriminals are running a campaign dubbed InstallFix (also known as the Fake Claude Installer threat) that uses fraudulent Claude AI installation pages to trick users into executing malware. Instead of exploiting software flaws, attackers exploit human trust in AI tools, leveraging Google Ads to push malicious sites to the top of search results.

Attack Flow

  1. Initial Lure: Sponsored Google Ads appear for searches like “Claude Code install.”
  2. Fake Landing Page: Pages mimic official Claude installation guides, offering OS‑specific commands.
  3. Execution Chain:
    • Windows users run commands triggering mshta.exe, abused to execute remote payloads.
    • A malicious claude.msixbundle file, disguised as a Microsoft package, bypasses basic checks.
    • Embedded HTA payload silently executes VBScript, launching obfuscated PowerShell commands.
  4. Persistence: Malware creates scheduled tasks to survive reboots.
  5. C2 Communication: Victim‑unique URLs built from hashed machine IDs connect to attacker domains (e.g., oakenfjrod[.]ru).

Capabilities

  • Collects system information.
  • Disables security features.
  • Steals browser data and e‑wallet credentials.
  • Connects to attacker‑controlled servers for instructions.
  • Indicators align with RedLine Stealer infrastructure and techniques.

Campaign Scope

  • Regions Impacted: United States, Malaysia, Netherlands, Thailand.
  • Industries Targeted: Government, education, electronics, food & beverage.
  • Victim Profile: Both technical and non‑technical users — developers copying commands and everyday users following installation steps.

Defensive Guidance

  • Block Known IoCs: Domains, IPs, and hashes published by Trend Micro should be added to firewall and DNS filters.
  • Restrict Legacy Tools: Disable or restrict mshta.exe and monitor PowerShell activity.
  • User Awareness: Train staff to avoid commands from sponsored search results.
  • Verify Sources: Always download installers from official vendor sites.
  • Use Trusted Package Managers: Rely on npm, pip, brew, or winget instead of manual scripts.

Final Thought

The Fake Claude Installer campaign highlights how attackers weaponize search ads and trusted branding to bypass technical defenses. By mimicking legitimate installation flows, they exploit user behavior rather than software vulnerabilities. For defenders, the lesson is clear: security awareness and strict download hygiene are as critical as patching systems.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.