Infostealers disguised as AI developer tools are spreading rapidly through sponsored search results, exploiting developers who search for legitimate installation guides. The attack, tracked as InstallFix, clones the download pages of tools like Claude Code and OpenClaw, replacing authentic installation commands with malware that harvests browser data, system credentials, and—in a troubling escalation—the configuration files that power AI agents.
Key Takeaways
- Fake installation pages for Claude Code and OpenClaw appear in sponsored Google Ads and Bing search results.
- Amatera Stealer, a 2025 infostealer, uses hardcoded CDN IPs to hide its command-and-control infrastructure from detection.
- Over 42,000 exposed OpenClaw instances discovered; three critical CVEs enable remote code execution and authentication bypass.
- Infostealers now target AI agent configuration files, stealing gateway tokens and memory files for account takeover.
- GhostSocks and Atomic macOS Stealer variants provide persistence and privilege escalation across Windows and macOS.
How the InstallFix Attack Works
The attack chain is deceptively simple. A developer searches for “Claude Code install” or “OpenClaw CLI” and encounters a sponsored result pointing to a cloned installation page that looks identical to the legitimate one. The attacker has swapped the actual installation command for a malicious variant. When the developer copies and executes the command, it drops Amatera Stealer, a successor to ACR Stealer that exfiltrates browser cookies, session tokens, and system information.
What makes this approach effective is its reliance on search advertising. Push Security discovered that attackers are bidding on installation-related keywords in Google Ads and leveraging AI-enhanced Bing search results to surface their cloned pages ahead of legitimate ones. The fake pages are nearly pixel-perfect replicas, and developers moving quickly—eager to install a tool—rarely scrutinize the domain or URL carefully enough to notice the difference.
The Amatera payload uses a particularly clever evasion technique: it routes command-and-control traffic through hardcoded IP addresses belonging to legitimate content delivery networks like Cloudflare Pages, Squarespace, and Tencent EdgeOne. This disguises malicious traffic as ordinary web requests, making it harder for network defenders to flag the infection.
Infostealers Disguised as AI Developer Tools Now Target Agent Credentials
The shift from stealing browser data to harvesting AI agent configuration files marks a significant evolution in infostealer tactics. Hudson Rock detected live infections where the Amatera payload exfiltrated OpenClaw configuration files—specifically the openclaw.json file, which contains gateway authentication tokens, workspace paths, and email addresses associated with the agent.
OpenClaw, an open-source AI agent framework for tasks like email management and scheduling, stores sensitive data in plaintext JSON files on the user’s system. When an infostealer compromises a machine, it can grab not just the agent’s credentials but also device.json (containing cryptographic keys) and “soul” files (the agent’s memory and identity data). Hudson Rock researchers noted: “This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the ‘souls’ and identities of personal AI agents”.
An attacker with these files can impersonate the victim’s AI agent, access linked email accounts, trigger scheduled tasks, and potentially pivot into connected systems. The gateway token acts as a master key—Hudson Rock described it as “the central nervous system for the agent,” granting full remote control.
Critical Vulnerabilities in OpenClaw Compound the Risk
OpenClaw itself carries three critical vulnerabilities with severity ratings between 9.4 and 9.6, including remote code execution, authentication bypass, and command injection flaws. Over 42,000 exposed instances of OpenClaw have been identified, many running vulnerable versions. These CVEs, combined with prompt injection risks (where external emails or websites can manipulate the agent into executing unintended commands), create multiple pathways for attackers to gain control.
The fake OpenClaw GitHub repositories discovered by Huntress push additional payloads tailored to each operating system. On Windows, the installer drops GhostSocks—a backconnect proxy also used by BlackBasta ransomware—which establishes persistence through user registry keys and allows attackers to tunnel traffic through the compromised machine. On macOS, the fake installer decrypts and deploys Atomic macOS Stealer (AMOS), which uses techniques like Stealth Packer for memory injection, firewall rule manipulation, and anti-VM checks to evade detection.
Why Search Advertising Makes This Attack Scalable
Traditional malware distribution relies on phishing emails or compromised websites—tactics that trigger user suspicion. InstallFix inverts this: it leverages the trust developers place in search results and the legitimacy of paid advertising. When a developer sees a sponsored result for “Claude Code install,” they assume Google or Bing has vetted it. The attacker bids on high-intent keywords (installation queries) where the victim is actively seeking the tool, eliminating the need for social engineering.
This approach scales efficiently. The attacker registers domains that mimic the legitimate tool’s installation page, maintains a handful of fake pages across different tool names (Claude Code, OpenClaw, etc.), and lets the search engines’ own ad networks amplify the reach. Each click is a potential infection.
What Developers Should Do Right Now
The immediate mitigation is verification. Before running any installation command, developers should confirm they are on the official domain—not a lookalike. For Claude Code, that means Anthropic’s official documentation. For OpenClaw, the legitimate GitHub repository. Copy the installation command directly from the official source, never from a search result or ad.
Developers who have already installed Claude Code, OpenClaw, or similar AI tools should assume their systems may be compromised. Run a full antivirus scan, reset browser passwords and authentication tokens, and audit any connected accounts (email, cloud storage, API keys). If you use OpenClaw, rotate your gateway tokens immediately and check for unauthorized agent activity.
Organizations should implement DNS filtering to block access to known malicious domains, enforce application whitelisting to prevent unsigned executables from running, and monitor outbound traffic for suspicious connections to unusual IPs—especially those that resolve to CDN infrastructure.
Is OpenClaw safe to use after these discoveries?
OpenClaw itself is open-source and not inherently unsafe, but the framework’s reliance on plaintext configuration files and the existence of critical unpatched vulnerabilities make it a high-value target. Users should only deploy OpenClaw in isolated, non-production environments until patches are available, and should never store sensitive credentials in agent configuration files.
How can I tell if my installation was legitimate?
Check the domain in your browser’s address bar before downloading or copying any installation command. Legitimate tools use official company domains (e.g., anthropic.com, the official GitHub repository URL). If the domain looks similar but slightly different, or if the page is hosted on a third-party domain, it is a red flag. Always navigate to the official website directly rather than clicking a search result.
Will this affect non-developers using AI tools?
This specific attack targets developers installing CLI tools and AI frameworks, so non-technical users of ChatGPT, Claude, or other consumer AI services are not directly at risk from InstallFix. However, the underlying threat—infostealers evolving to target AI agent credentials—signals a broader shift in attacker priorities. As more people deploy personal AI agents, the incentive to steal their configuration and identity data will only grow.
The InstallFix campaign exposes a vulnerability in how developers discover and install tools: the assumption that search results and sponsored ads are trustworthy. Until search engines implement stronger verification of installation-related ads, or until developers adopt habits like copying commands directly from official documentation, this attack vector will remain effective. The evolution from stealing browser cookies to harvesting AI agent souls represents a qualitative shift in what attackers value—and what defenders must protect.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
