Threat actors are using a social engineering technique called InstallFix, which leverages fake installation guides for popular command-line interface (CLI) tools like Claude Code. These guides, promoted through malvertising on Google Ads, trick users into executing malicious commands that download and install the Amatera Stealer, an information-stealing malware.