{ "Event": { "analysis": "1", "date": "2026-03-06", "extends_uuid": "", "info": "[Threat Intel] InstallFix: How attackers are weaponizing malvertized install guides", "protected": false, "publish_timestamp": "1773997323", "published": true, "threat_level_id": "3", "timestamp": "1773997322", "uuid": "7b46a3ba-cc12-402e-b3ac-83d117466750", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#8b05c0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"", "relationship_type": "" }, { "colour": "#3eb869", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Data Staging - T1074.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#0c8fe6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Email Collection - T1114.001\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#30f613", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Mshta - T1218.005\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054025", "to_ids": false, "type": "link", "uuid": "f7998d15-262a-4f89-bf75-c1326ec5cd2d", "value": "https://pushsecurity.com/blog/installfix/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773054025", "to_ids": false, "type": "text", "uuid": "18cf0893-e41f-4d55-9d27-cb99d49aa209", "value": "A new attack technique called InstallFix targets users by cloning popular developer tool installation pages and presenting malicious install commands. Attackers distribute these fake pages through Google Ads, exploiting users' trust in familiar 'curl to bash' installation methods. The campaign specifically targets Claude Code users, delivering the Amatera Stealer malware. This technique bypasses email security controls and exploits the growing trend of non-technical users adopting developer tools. The attack leverages legitimate hosting services and is part of a broader trend targeting AI-related tools. The payload uses staged execution and various evasion techniques to avoid detection." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773054025", "to_ids": false, "type": "text", "uuid": "10f1db11-b6d1-454b-8c31-b8e91fde9f51", "value": "Name: InstallFix: How attackers are weaponizing malvertized install guides\nAuthor: AlienVault\nAdversary: \nTags: [\"social engineering\", \"google ads\", \"claude code\", \"installfix\", \"malvertising\", \"amatera stealer\"]\nTgtd countries: []\nMlwr families: [\"Amatera Stealer\"]\nAttack_ids: [\"T1113\", \"T1056.001\", \"T1123\", \"T1074.001\", \"T1036.005\", \"T1114.001\", \"T1204.002\", \"T1082\", \"T1005\", \"T1055\", \"T1083\", \"T1218.005\", \"T1528\", \"T1057\", \"T1027\", \"T1102.002\", \"T1059.003\", \"T1071.001\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773276079", "to_ids": true, "type": "sha256", "uuid": "1ee4c2fd-b8e5-4a78-8076-2e3797d7c2fa", "value": "8d2d275360adedecfbbd91567daddeed80d20aceb8aa4320d06a21486493945b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277598", "to_ids": true, "type": "url", "uuid": "2125de18-0630-4477-ae9e-4f2fda498e7f", "value": "http://contatoplus.com/curl/8d2d275360adedecfbbd91567daddeed80d20aceb8aa4320d06a21486493945b", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277619", "to_ids": true, "type": "url", "uuid": "e9b6b399-24f4-4ac4-9db2-e99349c7301f", "value": "http://saramoftah.com/curl/958ca005af6a71be22cfcd5de82ebf5c8b809b7ee28999b6ed38bfe5d19420", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277640", "to_ids": true, "type": "url", "uuid": "e6bda447-15b3-4fc3-8fcc-b6688bfad839", "value": "https://claude.update-version.com/claude", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277661", "to_ids": true, "type": "url", "uuid": "5f946a34-e085-4825-aaa7-42c8b4fc683e", "value": "https://saramoftah.com/n8n/update", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277682", "to_ids": true, "type": "url", "uuid": "7a8abb2f-92fa-4859-b0fb-6ce003f82342", "value": "https://some.website", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277703", "to_ids": true, "type": "domain", "uuid": "42ea4e83-73bc-4347-85f4-90736d389d7c", "value": "claude-code-macos.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277725", "to_ids": true, "type": "domain", "uuid": "47134805-7462-409c-b3a3-316e6b83d31b", "value": "contatoplus.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277746", "to_ids": true, "type": "domain", "uuid": "916b1ea0-b175-4929-b16e-6f1019164827", "value": "sarahmoftah.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277767", "to_ids": true, "type": "domain", "uuid": "30e6f29e-385f-46b0-a3a2-6ca20d07049a", "value": "saramoftah.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277788", "to_ids": true, "type": "domain", "uuid": "3f9ffdcd-4545-409d-85b8-e982694a3393", "value": "some.website", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277810", "to_ids": true, "type": "hostname", "uuid": "71db14ec-dfe4-4dc5-a4f8-6542caaf5ea8", "value": "claude.update-version.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277831", "to_ids": true, "type": "hostname", "uuid": "af0a4a54-c550-4762-b5e7-cb6e3a6d375f", "value": "asdasdasdadsvvvvv.pages.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277853", "to_ids": true, "type": "hostname", "uuid": "bfa4b739-0777-4802-9de2-2ac7a0d2b920", "value": "cladueall.pages.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277874", "to_ids": true, "type": "hostname", "uuid": "31d3309e-759f-4d95-86fc-ee9fa2ef8ed6", "value": "claud-code.pages.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277895", "to_ids": true, "type": "hostname", "uuid": "23ad9630-7130-4e8d-956d-2046dafab07d", "value": "claude-code-docs-dvlr2jpuuw.edgeone.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277916", "to_ids": true, "type": "hostname", "uuid": "66eff214-62d2-4dd4-9ab2-0117fe928959", "value": "claude-code-docs-site.pages.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277937", "to_ids": true, "type": "hostname", "uuid": "9eaa2084-9afc-4e91-b69c-a68e0b058ffc", "value": "claude-code-install.squarespace.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277959", "to_ids": true, "type": "hostname", "uuid": "960f8b4c-4a2d-46da-828b-2830f45c3bee", "value": "claudecode-developers.squarespace.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277980", "to_ids": true, "type": "hostname", "uuid": "2ee608bd-0411-4c3a-80e9-f7fadb25c1e7", "value": "claulastver.squarespace.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278002", "to_ids": true, "type": "hostname", "uuid": "5f102022-d04c-4872-a842-a2ab5cc19aae", "value": "nnnnnnnnnnnnnnnnnnnnn.pages.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278023", "to_ids": true, "type": "hostname", "uuid": "8a41d09c-18ac-4fe6-bb63-e4e13ccd5763", "value": "vdsafsaf.it.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278045", "to_ids": true, "type": "hostname", "uuid": "cf674cb6-3897-429c-9ac9-c9d4179ecf6c", "value": "myclauda.it.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278066", "to_ids": true, "type": "hostname", "uuid": "a2df42c1-bc26-49b3-93fb-18b5a16ee32b", "value": "jhgyuifyfiguohi.pages.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278088", "to_ids": true, "type": "hostname", "uuid": "7cda65d6-9b7a-43c2-bab7-970edd6c5361", "value": "hgjbulk.pages.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278109", "to_ids": true, "type": "url", "uuid": "3ecbe928-fe69-4b32-9aac-3363a716f696", "value": "asdasdasdadsvvvvv.pages.dev/", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278130", "to_ids": true, "type": "hostname", "uuid": "c11114b0-a776-4de2-9c5c-4b5bb8c96c15", "value": "claude-code-update.squarespace.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }