InstallFix Attack: Fake Claude AI Pages Spread Malware

If your team has been racing to adopt AI tools, here is a problem that did not exist a year ago. Your employees are now Googling "install Claude Code," clicking the top result, and pasting a one-line command from that page directly into their terminal. Some of those pages are fake, and the command is not an installer — it is malware. Security researchers at Trend Micro published details on May 5 of an active campaign, dubbed InstallFix, that puts this risk in front of every company experimenting with AI right now.

What happened

Trend Micro reported on a social engineering operation that targets people searching for Anthropic's Claude — specifically the Claude Code developer tool. The attackers buy Google Ads keyed to terms like "Claude Code," "Claude Code install," and "Claude Code CLI." The sponsored result sends victims to a fake page that is a near-pixel-perfect clone of Anthropic's real install documentation. Same layout, same branding, same sidebar.

The only thing that changes is the install command. On the legitimate page, that command pulls an installer from Anthropic. On the fake page, the same-looking command pulls malware from an attacker-controlled domain. Push Security, which first publicly described this technique in March, named it InstallFix — a play on the older ClickFix attack pattern, but without the fake CAPTCHA or error message that ClickFix relies on. With InstallFix, the user is already trying to install legitimate software. That is the entire pretext.

Trend Micro observed victims across the Americas, Europe, the Middle East, Africa, and Asia Pacific. Specific infections were confirmed in the United States, Netherlands, Malaysia, and Thailand. The targeted sectors so far include government, education, electronics, and food and beverage — not the usual list, which is what makes the campaign worth reading carefully.

Why this matters to your business

Three reasons:

First, this attack bypasses most of what your security stack is built to catch. There is no phishing email to filter, no malicious attachment to scan, no exploit of an unpatched vulnerability. The user types the command themselves, on their own machine, with their own credentials. They look like a trusted insider performing a routine task because, as far as their own intent is concerned, that is exactly what they are doing.

Second, AI tool adoption inside companies is happening faster than IT can govern it. Employees in marketing, finance, operations, and engineering are all installing AI assistants, browser extensions, CLI tools, and integrations on their own — often without telling anyone. That gap between "we said we would evaluate AI carefully" and "half our staff already installed three different AI tools" is exactly where InstallFix lives.

Third, the malware is built to stay. According to Trend Micro, the infection chain disables AMSI (the Windows feature that lets antivirus inspect scripts at runtime), turns off SSL certificate validation so it can talk to attacker servers undetected, and creates a scheduled task so it survives reboots. Indicators in the campaign overlap with known information-stealing malware families. Once a workstation is compromised, treat browser sessions, saved passwords, and any tokens used on that machine as compromised too. A single laptop becomes a foothold into your email, your code repositories, your finance systems — whatever that user touches.

How the attack works, in plain English

A user searches Google for how to install Claude Code. The top result is a sponsored ad. They click. The page looks identical to Anthropic's real documentation. It tells them to copy and paste a single command into PowerShell on Windows or Terminal on macOS. They do.

On Windows, that command quietly invokes mshta.exe — a built-in Windows utility that runs HTML application files. mshta.exe reaches out to the attacker's domain and downloads a file disguised as a Microsoft-signed package. Hidden inside is a script that decodes another script that launches PowerShell that pulls down the actual payload. Each layer is designed to avoid being spotted by either antivirus or a person watching task manager. By the time it is finished, the malware is fingerprinting the machine, beaconing out to a server unique to that victim, and waiting for instructions.

The whole thing takes a few seconds. The user sees a terminal window flash open and close, assumes the install worked, and goes back to their day.

Who is being targeted

Push Security and Trend Micro both noted that this is not really a Claude problem — Claude is the lure because Claude is popular. The same technique works for any developer tool people install with a copy-paste command, which today includes most of them: Homebrew, Rust, oh-my-zsh, nvm, and a long list of AI-related CLIs and MCP servers. Earlier campaigns have impersonated Homebrew and other developer tools using the same playbook.

The current Claude-themed wave hit organizations across multiple sectors and regions, with confirmed victims in government, education, electronics, and food and beverage. If you have developers, researchers, marketing analysts, or anyone in finance or operations exploring AI tools, your organization is in scope.

What to do this week

This is one of those situations where the technical fix and the policy fix both matter, and neither is hard if someone owns it.

A practical incident response playbook would include the following for IT.

First, send a written reminder to staff: do not install software based on a sponsored search result. For AI tools specifically, go directly to the vendor's official site, typed into the address bar, not clicked from search. For Anthropic's Claude tools, that means claude.com or docs.claude.com. The same goes for any other tool — go to the source, not the ad.

Second, restrict or monitor mshta.exe and obfuscated PowerShell on endpoints. Most legitimate users in finance, operations, or marketing have no reason to run either. Your EDR vendor likely has a detection rule for the AMSI patching pattern this campaign uses; turn it on. If you do not have EDR, this is one of the gaps a fractional CISO would close in the first 30 days.

Third, audit what was actually installed on company laptops in the last 60 days. If anyone installed something called Claude, Claude Code, Claude Pro, or anything with a similar name from a non-official source, isolate that machine and rebuild it. Rotate any credentials or tokens that were used on it. Do not try to clean an infostealer infection — credentials are likely already gone.

For leadership and compliance, the conversation is broader.

You probably need a written shadow-AI policy. It does not have to be long. It should say which AI tools are approved, who approves new ones, and what the procurement path looks like. Companies subject to HIPAA, PCI DSS 4.0, SOC 2, NIST CSF 2.0, or CMMC 2.0 should also document how AI tool usage maps to existing access control, data classification, and vendor management requirements. Auditors are starting to ask.

It is also worth asking your IT or cybersecurity team a simple question: if a company laptop was infected by an infostealer today, how would we know, and how fast? If the answer is "we would not" or "weeks," that is the gap to close before the next campaign. InstallFix will not be the last one.

The bigger picture: shadow AI is now an attack surface

The pattern InstallFix exploits is not a Claude problem and not a Google problem. It is a behavior problem. Pasting commands from web pages into terminals has become the default way to install developer tools, and attackers have figured out how to put their commands in that pipeline. Over the next 12 months, expect more campaigns like this — different lures, same technique. Anything trendy, easily cloned, and reachable by search ad is a candidate.

The companies that handle this best will be the ones that decided ahead of time how AI tools get adopted, who reviews them, and what an acceptable install path looks like. That is not a tooling problem. It is a security governance problem — the kind of work a fractional CISO is built for.

How Purple Shield can help

If your business is moving fast on AI and has not yet written down the rules of engagement, Purple Shield can help. Our vCISO and fractional CISO services work with leadership to build a practical AI governance approach that fits how your company actually operates — not a 40-page policy that nobody reads. Our AI security practice covers shadow AI discovery, model and tool risk reviews, and developer guardrails. And if you are in a regulated sector, our risk assessment work maps AI tool usage against the frameworks your auditors care about — HIPAA, PCI DSS, NIST CSF, NIST AI.

If you suspect a workstation has been hit by InstallFix or a similar campaign, contact us before rebuilding. The faster a compromised endpoint gets isolated, the smaller the cleanup.