Hackers Using Fake Claude AI Installer Pages to Trick Users Into Running Malware on Their Systems

Hackers are using convincing fake pages for Claude AI to trick users into running malware on their own systems. The campaign, known as “InstallFix” or the Fake Claude Installer threat, marks a sharp shift in how cybercriminals exploit the trust people place in artificial intelligence tools.

Instead of targeting software vulnerabilities, these attackers are targeting human behavior, knowing that users will follow installation steps without question.

The method is simple and effective. Attackers set up fake Claude AI installation pages and use paid Google Ads to push those pages to the top of search results.

When someone searches for “Claude Code” or “Claude Code install,” a sponsored link appears first, looking exactly like a trusted result. One click leads to a fraudulent site that provides step-by-step instructions with commands tailored to the user’s operating system, either Windows or macOS.

Researchers at Trend Micro identified and documented the campaign, noting that the malware is not a simple infection. It is a multi-stage attack chain that collects system information, disables security features, creates scheduled tasks to survive reboots, and connects to attacker-controlled servers for further instructions.

Confirmed attacks span the United States, Malaysia, the Netherlands, and Thailand, hitting industries from government and education to electronics and food and beverage.

How the Fake Installer Attack Works

What makes this campaign especially dangerous is that it targets both technical and non-technical users. Developers who work with command-line tools are often comfortable copying setup commands from documentation pages, and non-technical users are equally likely to follow on-screen steps that look official. The attackers crafted these fake pages to closely resemble a real Claude installation guide, making the deception very hard to spot.

The threat goes beyond a single download. After the user runs the malicious command, the infection unfolds across multiple stages, each designed to evade detection and remain hidden. Trend Micro’s telemetry confirmed outbound network connections to attacker-controlled servers, and the indicators found align closely with those tied to RedLine Stealer campaigns from 2023.

The attack begins with a Google Ads placement that intercepts users searching for Claude Code. The fake landing page uses a technique called ClickFix, presenting an OS-specific command framed as a required installation step. On Windows, running the command triggers a hidden chain beginning with mshta.exe, a legitimate Windows tool that attackers commonly abuse to execute remote payloads.

The downloaded file, named claude.msixbundle, appears to be a genuine Microsoft package with valid Marketplace signatures, allowing it to pass basic security checks. Embedded inside is an HTA payload that silently executes a VBScript, with the window resized to zero pixels so nothing appears on screen.

That script launches obfuscated PowerShell commands through the SysWOW64 subsystem, bypassing detection by reconstructing the word “powershell” at runtime using split variables.

The stager generates a unique ID for the victim machine by hashing the computer name and username together. It uses this hash to build a custom command-and-control URL for each victim, fetching the final payload from a subdomain on oakenfjrod[.]ru. This per-victim URL approach makes bulk network-level blocking extremely difficult to execute.

Persistence, Data Theft, and RedLine Stealer Connections

Once the shellcode runs in memory, the malware establishes persistence by creating scheduled tasks, allowing it to survive reboots and keep running silently. Dynamic analysis showed the malware reaching out to external IP addresses, collecting browser data, and targeting e-wallet applications installed on the infected machine.

The indicators tied to this campaign match techniques and infrastructure previously linked to RedLine Stealer.

To reduce risk, organizations should block known malicious domains and IP addresses at the firewall and use DNS filtering to prevent users from reaching suspicious or newly registered domains. Legacy scripting tools like mshta.exe should be restricted wherever possible.

Users should also be trained to avoid running commands from sites reached through sponsored search results, to verify download pages against official vendor websites, and to rely on trusted package managers like npm, pip, brew, or winget rather than manual scripts from unknown sources.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	download-version[.]1-5-8[.]com	Malicious domain hosting the fake claude.msixbundle payload
Domain	oakenfjrod[.]ru	Attacker-controlled C&C domain; victim-unique subdomains used for Stage 4 payload delivery
URL	hxxps[://]download-version[.]1-5-8[.]com/claude[.]msixbundle	Download URL for the ZIP/HTA polyglot malicious package
URL	https://[nipple].oakenfjrod[.]ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1	Victim-unique C&C URL used to fetch and execute the final in-memory payload
File Name	claude.msixbundle	Malicious payload disguised as a Claude AI installer; ZIP/HTA polyglot file
File Name	Claude.msixbundle.zip	Malicious archive containing obfuscated VBScript payload embedded in an HTML file
SHA1	811fbf0ff6b6acabe4b545e493ec0dd0178a0302	Hash of the recovered Stage 5 payload file (content execution not confirmed)
SHA256	2f04ba77bb841111036b979fc0dab7fcbae99749718ae1dd6fd348d4495b5f74	SHA256 hash of the Stage 5 payload
IP Address	104[.]21[.]0[.]95	Outbound C&C IP observed during dynamic analysis
IP Address	185[.]177[.]239[.]255	Outbound C&C IP observed during dynamic analysis
IP Address	77[.]91[.]97[.]244	IP address contacted over HTTPS port 443; TCP SYN requests observed; resolved to hosted-by[.]yeezyhost[.]net

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.