InstallFix Attacks Distribute Amatera Infostealer via Fake Claude Code Install Guides

First reported

06.03.2026 17:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are using a new social engineering technique called InstallFix to trick users into executing malicious commands under the guise of installing legitimate CLI tools, such as Claude Code. The attackers create cloned installation pages with malicious commands that deliver the Amatera infostealer. The campaigns are promoted through malvertising on Google Ads, targeting users searching for installation guides. The Amatera infostealer steals browser credentials, cookies, and session tokens while evading detection.

Timeline

06.03.2026 17:00 1 articles · 11h ago

InstallFix Attacks Distribute Amatera Infostealer via Fake Claude Code Install Guides
Threat actors are using a new social engineering technique called InstallFix to trick users into executing malicious commands under the guise of installing legitimate CLI tools, such as Claude Code. The attackers create cloned installation pages with malicious commands that deliver the Amatera infostealer. The campaigns are promoted through malvertising on Google Ads, targeting users searching for installation guides. The Amatera infostealer steals browser credentials, cookies, and session tokens while evading detection.
Show sources

Fake Claude Code install guides push infostealers in InstallFix attacks — www.bleepingcomputer.com — 06.03.2026 17:00
Open in new tab

Information Snippets

InstallFix exploits the 'curl-to-bash' practice by developers to execute scripts without inspection.
First reported: 06.03.2026 17:00

1 source, 1 article
Show sources
- Fake Claude Code install guides push infostealers in InstallFix attacks — www.bleepingcomputer.com — 06.03.2026 17:00
Attackers use cloned pages for popular CLI tools like Claude Code to serve malicious install commands.
First reported: 06.03.2026 17:00

1 source, 1 article
Show sources
- Fake Claude Code install guides push infostealers in InstallFix attacks — www.bleepingcomputer.com — 06.03.2026 17:00
The malicious commands download and execute the Amatera infostealer from an attacker-controlled endpoint.
First reported: 06.03.2026 17:00

1 source, 1 article
Show sources
- Fake Claude Code install guides push infostealers in InstallFix attacks — www.bleepingcomputer.com — 06.03.2026 17:00
Amatera is a new malware family based on ACR Stealer, sold as a subscription service (MaaS).
First reported: 06.03.2026 17:00

1 source, 1 article
Show sources
- Fake Claude Code install guides push infostealers in InstallFix attacks — www.bleepingcomputer.com — 06.03.2026 17:00
The attacks are promoted through malvertising campaigns on Google Ads, appearing in search results for queries like 'Claude Code install'.
First reported: 06.03.2026 17:00

1 source, 1 article
Show sources
- Fake Claude Code install guides push infostealers in InstallFix attacks — www.bleepingcomputer.com — 06.03.2026 17:00
The malicious sites are hosted on legitimate platforms such as Cloudflare Pages, Squarespace, and Tencent EdgeOne.
First reported: 06.03.2026 17:00

1 source, 1 article
Show sources
- Fake Claude Code install guides push infostealers in InstallFix attacks — www.bleepingcomputer.com — 06.03.2026 17:00