Cybersecurity experts are raising alarms over a new threat where cybercriminals use counterfeit Claude AI installer pages to disseminate malware. Dubbed the ‘InstallFix’ campaign, this strategy represents a significant shift in hacking tactics, focusing on exploiting user trust in artificial intelligence tools rather than software vulnerabilities.
Exploiting Human Behavior Through Fake Pages
The attackers employ a straightforward yet effective method by creating fake Claude AI installation pages. These malicious sites are promoted via paid Google Ads, ensuring they appear prominently in search results. Users searching for installation instructions for Claude AI are led to fraudulent sites that mimic legitimate results.
Once on these counterfeit pages, users are provided with step-by-step installation instructions tailored to their operating systems, whether Windows or macOS. The instructions appear genuine, making it challenging for users to discern the threat.
Complex Multi-Stage Attack Chain
Research conducted by Trend Micro has documented that the malware involved in this campaign is part of a sophisticated multi-stage attack chain. It begins with collecting system information and disabling security features, followed by creating scheduled tasks to ensure persistence even after system reboots. The malware also connects to attacker-controlled servers for further instructions.
This campaign has affected users in various countries, including the United States, Malaysia, the Netherlands, and Thailand, impacting industries such as government, education, electronics, and food and beverage.
Defense Measures and Recommendations
What makes this campaign particularly dangerous is its ability to deceive both technical and non-technical users. Developers accustomed to command-line tools might unwittingly follow the scripted commands, while non-technical users might simply comply with on-screen instructions that seem official.
To mitigate the risk, organizations should block known malicious domains and IP addresses at the firewall level and employ DNS filtering to prevent access to suspicious sites. Users are advised to verify download pages against official vendor websites and use trusted package managers instead of manual scripts from unverified sources.
Furthermore, legacy scripting tools like mshta.exe should be restricted to reduce vulnerability to such attacks.
Indicators of Compromise (IoCs) identified include several defanged domains and IP addresses linked to the campaign. These details are crucial for threat intelligence operations but should be re-fanged only within controlled environments.
As cyber threats continue to evolve, staying informed and implementing robust security practices remain vital in safeguarding against such sophisticated attacks.
