By rssfeeds-admin 
Also known as the Fake Claude Installer threat, this sophisticated operation targets developers and professional users searching for Anthropic’s Claude AI assistant.
Attackers use deceptive Google Ads to promote fake, pixel-perfect installation pages that trick victims into running malicious command-line instructions, leading to severe system compromises.
This campaign specifically capitalizes on the modern developer habit of executing terminal commands directly from the internet without thorough inspection, expanding the pool of potential victims beyond traditional targets.
Fake Claude Installers Spread Malware
The attack sequence begins when a victim clicks a sponsored Google search result for terms like “Claude Code install,” which directs them to a fraudulent landing page that closely resembles legitimate documentation.
The page uses the ClickFix social engineering pattern to instruct the user to run an operating system-specific command.
Upon execution in Windows environments, the command starts the mshta.exe process to download a deceptive polyglot archive named claude msixbundle from a remote, attacker-controlled server.
Despite appearing as a valid Microsoft Bing package with a legitimate ZIP header, the file contains an appended HTML Application payload at byte offset 882290.
This dual-format structure allows the file to bypass initial security scans. At the same time, the system executes the appended malicious content directly.
Following the initial download, the infection chain leverages a Component Object Model Shell Launcher to run an obfuscated VBScript silently in the background, ensuring no user interface is displayed.
This script decodes and launches a heavily disguised PowerShell stager using variable-splitting tricks to reconstruct commands at runtime and evade static detection.
The PowerShell component incorporates highly advanced evasion techniques, including disabling SSL certificate validation to trust any malicious HTTPS connection.
According to Trend Micro research, the InstallFix campaign has cast a wide geographical net, successfully targeting organizations across the Americas, Europe, Asia Pacific, the Middle East, and Africa.
Telemetry has identified specific victims in the United States, Netherlands, Malaysia, and Thailand, with a particular focus on critical industries such as government, education, electronics, and food and beverage.
To maintain long-term access to these compromised corporate networks, the malware establishes persistence by creating unauthorized scheduled tasks on the host operating system, allowing it to re-execute automatically after system reboots.
During dynamic analysis, security platforms observed the malware actively attempting to harvest browser data and e-wallet information.
The threat concurrently initiated outbound connections to multiple malicious IP addresses, including attempts to reach unreachable infrastructure via persistent TCP SYN requests over port 443.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Fake Claude AI Installer Pages Trick Users Into Malware Downloads appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.