Fake installation guide pages for Anthropic's Claude Code have been leveraged to spread the Amatera information-stealing malware as part of a new InstallFix attack campaign, a new variant of the ClickFix social engineering method, reports BleepingComputer.Illicit website clones which have been promoted to the top of Google searches for "Claude Code install", "Claude Code CLI", and "install claude code" via Google Ads malvertising have tricked both Windows and macOS users into running commands that eventually led to the execution of the ACR Stealer-based Amatera malware-as-a-service platform, which covertly pilfers browser-stored credentials, cookies, and session tokens, as well as system information, according to Push Security researchers.Attackers have bolstered the campaign's stealth by leveraging Squarespace, Cloudflare Pages, and Tencent EdgeOne to host the malicious pages. Such a development comes just days after phony OpenClaw installers boosted by Bing's AI search results enabled the delivery of multiple infostealers and the GhostSocks proxy malware.
Malware, Threat Intelligence, AI/ML
Amatera infostealer deployed via phony Claude Code guides
(Adobe Stock)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds