InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise

    Wednesday, May 6, 2026 In: Threat Research Print

    Date: 05/06/2026

    Severity: High

    Summary

    The InstallFix campaign is a social engineering attack targeting users searching for Anthropic’s Claude AI through fake installation pages promoted via Google Ads. It uses convincing, OS-specific instructions to trick users into executing malicious PowerShell commands. These commands trigger a multi-stage infection chain involving mshta.exe, obfuscated scripts, and fileless payloads. Advanced evasion tactics include AMSI bypass, disabled SSL validation, and unique command-and-control URLs for each victim. The campaign impacts multiple regions and industries, using persistence mechanisms like scheduled tasks and communicating with attacker-controlled servers.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    download-version.1-5-8.com

    hosted-by.yeezyhost.net

    oakenfjrod.ru

    https://download-version.1-5-8.com/claude.msixbundle

    https://<victim_md5>.oakenfjrod.ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1

    IP Address : 

    77.91.97.244

    185.177.239.255

    104.21.0.95

    Hash : 

    2b99ade9224add2ce86eb836dcf70040315f6dc95e772ea98f24a30cdf4fdb97

    ec1206989449d30746b5ceb2b297cda9f3f09636a0e122ecafb40b1dc2e86772

    2f04ba77bb841111036b979fc0dab7fcbae99749718ae1dd6fd348d4495b5f74

    Filename : 

    claude.msixbundle

    cloude-91267b64-989f-49b4-89b4-984e0154d4d1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "download-version.1-5-8.com" or url like "download-version.1-5-8.com" or siteurl like "download-version.1-5-8.com" or domainname like "oakenfjrod.ru" or url like "oakenfjrod.ru" or siteurl like "oakenfjrod.ru" or domainname like "https://download-version.1-5-8.com/claude.msixbundle" or url like "https://download-version.1-5-8.com/claude.msixbundle" or siteurl like "https://download-version.1-5-8.com/claude.msixbundle" or domainname like "hosted-by.yeezyhost.net" or url like "hosted-by.yeezyhost.net" or siteurl like "hosted-by.yeezyhost.net" or domainname like "https://<%>.oakenfjrod.ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1" or url like "https://<%>.oakenfjrod.ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1" or siteurl like "https://<%>.oakenfjrod.ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1"

    Detection Query 2 :

    dstipaddress IN ("77.91.97.244","185.177.239.255","104.21.0.95") or srcipaddress IN ("77.91.97.244","185.177.239.255","104.21.0.95")

    Detection Query 3 :

    sha256hash IN ("ec1206989449d30746b5ceb2b297cda9f3f09636a0e122ecafb40b1dc2e86772","2f04ba77bb841111036b979fc0dab7fcbae99749718ae1dd6fd348d4495b5f74","2b99ade9224add2ce86eb836dcf70040315f6dc95e772ea98f24a30cdf4fdb97")

    Detection Query 4 :

    resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("claude.msixbundle","cloude-91267b64-989f-49b4-89b4-984e0154d4d1")

    Detection Query 5 :

    technologygroup = "EDR" and objectname IN ("claude.msixbundle","cloude-91267b64-989f-49b4-89b4-984e0154d4d1")

    Reference:    

    https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html


    Tags

    Threat ActorSocial EngineeringObfuscationAI

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.