Back to Intelligence

ClickFix Social Engineering Campaign: Fake Claude Installer Detection and Defense

SA
Security Arsenal Team
April 16, 2026
5 min read

Social engineering remains one of the most effective initial access vectors for threat actors, and the recent resurgence of "ClickFix" campaigns proves this technique is far from obsolete. Rapid7 researchers have identified a specific ClickFix campaign actively targeting victims in the EU and US by masquerading as an installer for Anthropic’s Claude AI assistant.

As defenders, we must act on this immediately. This campaign leverages the legitimate hype surrounding AI tools to trick users into executing malicious scripts under the guise of "fixing" a browser or installation error. This isn't just a phishing annoyance; it is a precursor to payload delivery, often leading to information stealer deployment or ransomware. This post dissects the threat and provides the detection logic required to stop it.

Technical Analysis

  • Affected Products/Platforms: Windows-based environments. The lure targets users of web browsers (Chrome, Edge) seeking to install the AI tool "Claude".
  • Threat Type: Social Engineering / ClickFix / Malware Loader.
  • CVE Identifiers: Not applicable (human-driven exploit).
  • Attack Chain:
    1. Lure: The victim navigates to a malicious site hosting a fake Claude installer or is redirected via malvertising.
    2. The "Hook": Upon attempting to "install" or interact, a fake browser error or system prompt appears. It instructs the user to copy a specific command (often PowerShell or CMD) to "fix" the connection or verify the installation.
    3. Execution (The ClickFix): The user manually copies and pastes the command into a terminal (PowerShell).
    4. Payload Retrieval: The command executes a script (often obfuscated via Base64 or XOR) that reaches out to a remote server to download the malicious payload.
    5. Installation: The payload is executed on the endpoint, establishing persistence or dropping additional malware.
  • Exploitation Status: Confirmed active exploitation in the wild (EU/US). Low initial detection rates on VirusTotal suggest a need for signature-independent behavioral detection.

Detection & Response

SIGMA Rules

YAML
---
title: Potential ClickFix Activity - PowerShell Web Request
id: 8a4b2c1d-9e3f-4a5b-bc6d-1e2f3a4b5c6d
status: experimental
description: Detects PowerShell scripts attempting to download content from the internet using common cmdlets, a hallmark of ClickFix campaigns where users copy/paste malicious commands.
references:
  - https://www.rapid7.com/blog/post/ve-clickfix-phishing-campaign-fake-claude-installer
author: Security Arsenal
date: 2025/03/04
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IWR'
      - 'Invoke-RestMethod'
      - 'IRM'
      - 'DownloadString'
  filter_legit_admin:
    ParentImage|contains:
      - '\System32\'
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection and not filter_legit_admin
falsepositives:
  - Administrative scripts manually run by IT staff
level: high
---
title: PowerShell Execution Policy Bypass
id: 9b5c3d2e-0f4a-5b6c-7d8e-9f0a1b2c3d4e
status: experimental
description: Detects attempts to bypass PowerShell execution policies, frequently seen in social engineering campaigns like ClickFix to run unsigned or malicious scripts.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2025/03/04
tags:
  - attack.defense_evasion
  - attack.t1564.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'ExecutionPolicy Bypass'
      - '-ep bypass'
      - '-Exec Bypass'
falsepositives:
  - Legitimate legacy applications requiring bypass
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix indicators: PowerShell processes invoking web requests
// Often spawned by users manually pasting commands into Console Window Host
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "IEX", "Invoke-RestMethod")
| where ProcessCommandLine has_any ("http://", "https://")
| extend IsBase64 = iff(ProcessCommandLine matches regex "[A-Za-z0-9+/]{50,}={0,2}", true, false)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, IsBase64
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for PowerShell processes with web-related command line arguments typical of ClickFix
-- Look for manual invocation patterns (high entropy or specific keywords)
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "powershell.exe"
  AND (
    CommandLine =~ "Invoke-WebRequest" OR
    CommandLine =~ "DownloadString" OR
    CommandLine =~ "IEX" OR
    CommandLine =~ "Invoke-RestMethod" OR
    CommandLine =~ "http:"
  )

Remediation Script

PowerShell
# Incident Response Script: Hunt for ClickFix artifacts in User Temp directories
# ClickFix payloads often download to the user's temp folder with obfuscated names

$DateThreshold = (Get-Date).AddDays(-7)
$UserProfiles = Get-ChildItem -Path "C:\Users" -Directory -ErrorAction SilentlyContinue
$SuspiciousExtensions = @(".exe", ".bat", ".cmd", ".ps1", ".js", ".vbs", ".dll")

Write-Host "Scanning for suspicious files created in the last 7 days..." -ForegroundColor Cyan

foreach ($Profile in $UserProfiles) {
    # Exclude system profiles
    if ($Profile.Name -in @("Public", "Default", "Default User")) { continue }

    $TempPath = Join-Path -Path $Profile.FullName -ChildPath "AppData\Local\Temp"
    if (Test-Path $TempPath) {
        Get-ChildItem -Path $TempPath -Recurse -Include $SuspiciousExtensions -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -gt $DateThreshold -and $_.Length -gt 0 } |
        Select-Object FullName, LastWriteTime, Length, @{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}}
    }
}

Remediation

Since this is a social engineering campaign rather than a software vulnerability, remediation relies on user controls and system hardening:

  1. Block the Payloads: If specific IOCs (hashes, domains) are obtained from the Rapid7 report or your own investigations, immediately block them on your perimeter proxies, firewalls, and EDR solutions.
  2. User Awareness: Immediately notify your user base about this specific campaign. Explicitly warn them against installing "Claude" or other AI tools from unofficial sources and instruct them never to copy/paste terminal commands from web browser error messages.
  3. PowerShell Constrained Language Mode: Consider enforcing Constrained Language Mode for general users to prevent the execution of unsigned scripts and complex language features often abused in these attacks.
  4. Attack Surface Reduction (ASR) Rules: Enable the ASR rule "Block all Office applications from creating child processes" and "Block JavaScript or VBScript from launching downloaded executable content" (if applicable to your environment), though specifically focus on ASR rules that prevent PowerShell from downloading content.
  5. Browser Isolation: If available, use remote browser isolation for high-risk categories to prevent malicious code from reaching the endpoint.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemclickfixsocial-engineeringclaude-ai

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action