SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
A financially motivated cybercrime campaign uses SEO poisoning to target software developers by impersonating AI platforms and developer tools. Attackers create fake domains that rank above legitimate search results, leading victims to malicious installation pages hosting a fileless PowerShell infostealer. This malware runs entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and steals credentials from browsers, collaboration tools, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, enabling direct enterprise network access. The campaign uses bulletproof hosting and over 30 typosquatted domains registered recently, primarily targeting users in the United States and United Kingdom. No patches or official fixes are available as this is a campaign leveraging social engineering and malware delivery rather than a software vulnerability.
AI Analysis
Technical Summary
This ongoing infostealer campaign targets software developers through SEO poisoning by impersonating AI platforms such as Gemini CLI and Claude Code, and developer tools like Node.js, Chocolatey, and KeePassXC. Attackers register numerous typosquatted domains and manipulate search engine results to direct victims to malicious installation pages. The delivered malware is a fileless PowerShell-based infostealer that executes in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests sensitive credentials including OAuth tokens, CI/CD credentials, and VPN details. These stolen credentials provide attackers with direct access to enterprise networks. The campaign infrastructure includes bulletproof hosting and focuses on users in the US and UK. There is no indication of a software vulnerability or exploit; rather, the threat relies on social engineering and malware delivery techniques.
Potential Impact
The campaign results in credential theft from targeted developers, including OAuth tokens, CI/CD credentials, and corporate VPN information. This enables attackers to gain unauthorized access to enterprise networks, potentially leading to further compromise or data exfiltration. The malware evades detection by executing filelessly and disabling Windows Defender telemetry, increasing the difficulty of detection and response.
Mitigation Recommendations
As this campaign relies on SEO poisoning and social engineering rather than a software vulnerability, no patches or official fixes exist. Organizations should educate developers about the risks of downloading software from untrusted or suspicious domains, verify URLs carefully, and use endpoint protection solutions capable of detecting fileless malware and PowerShell abuse. Monitoring for typosquatted domains and blocking access to known malicious domains can help reduce risk. Since no vendor advisory or patch is available, patch status is not applicable.
Affected Countries
United States, United Kingdom
Indicators of Compromise
- domain: chocolatey.net
- domain: gemini-setup.com
- domain: events.msft23.com
- domain: claude-setup.com
- hash: 9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333
- hash: 89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d
- hash: a1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d
- hash: a6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd
- hash: aa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad
- hash: 64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262
- hash: 5c6a2c73f59fd8defbf118f87e5c88ba62e3067f8e8c0ed104f3f188fa0d959d
- hash: de34f2f93b74e049a08074c779a863a87a85a403594b8e220b1fba15112e6386
- hash: dfd21a363f4994794f821d76ca61c834882a51b5c6f7b95627b70789462149e3
- hash: a31ae1eef3261c36b465255e624fb7ac5899bf2a9823564ba792fac8346723aa
- domain: api.bio9438.com
- domain: olive3451.com
- domain: community.chocolatey.net
- hash: 04f0ef18a152f892ef0c43aa7d1499cd
- hash: 2a36e01516929b5e2c43ed3f7bb137cd
- hash: 34a9b024da31c3c54233f7da2021ef8a
- hash: 8e43af7bb1961e87e35cecd9c9dc39c7
- hash: a7012d46ab1f5fba4ff81f442848237d
- hash: 3269b7c555b868bce5bae7fc7b4b8a55174ec221
- hash: 33c8c74294cd9cece97a2158a2533e992c8310bc
- hash: a05aedfc0906ea392cd182cc75163cba0646d419
- hash: b2b8eab958b77555160c95d89c7b5915f7d48a34
- hash: e11cc0e79307a6237a6660d48988402fad6d3c6a
- hash: 0e8c45d847f57095d9879c0da764ab02431db4d5d85f50c4fd5ba38353b79eed
- hash: 1439d30ebeac3a6ccb9545acaa350783a83cc08746cb575e59ddb0efc77d412a
- hash: 27e17661f5573f63b65e3a5cfe5bdca75acdc1911441b032781f7ebe125d9194
- hash: 2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116
- hash: 2d9ecc9321994558d0cc0e9d3fa9fdf600bacfe8758976d34f26f89c33bd5007
- hash: 5071921cb1ca369fe8f7af522a00373c8c85e4357f7ea1879d2cb4ae791797d6
- hash: 65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a
- hash: 7c2a9ad5fcf489d1844f51830242f6dd9dfc203be6de3ceb07a4f6dd21c9f1a3
- hash: 80ffc86673bd8c8bd5862bbe961323a822b23c94df48c685162c571445552faa
- hash: ae8f70dad97fedecd707977ca22fd6f656c64c0dac96e03f0f4a6c04d0693f59
- hash: ae9bc11adb457930d402844bd3bf3af8ea7c13fdb7ea269fbe73877b18af1ca8
- hash: b37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754
- hash: bb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f
- hash: be2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16
- hash: c213ce07b5791abd334ff749b5f05ecc6b40772d35ef4388b5f576bc3e619765
- hash: c416052c8ac6bfb78b7f0c46c568c528ead33501149661f1d9ecb1861269f8fa
- hash: c47610c9df3fb101b0e99f2ac12589db653464edf12cebaa2c67fd33fc7715f3
- hash: efbf87447d93f4232b1169920f75c2066d19863ebc28fb2d2662353dc4ef61d8
- hash: ff81cb9263fcde5870a0748fd6af2d30a4ba864415c15ca14827d0dd723eb60c
- url: http://events.msft23.com/process
- url: https://community.chocolatey.net/install.ps1|iex
- url: https://geminicli.com/
- url: https://www.pinvoke.net/default.aspx/advapi32.credwrite
- domain: get-monero.co.uk
- domain: events.ms709.com
- domain: metrics.msft17.com
- domain: www.pinvoke.net
SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
Description
A financially motivated cybercrime campaign uses SEO poisoning to target software developers by impersonating AI platforms and developer tools. Attackers create fake domains that rank above legitimate search results, leading victims to malicious installation pages hosting a fileless PowerShell infostealer. This malware runs entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and steals credentials from browsers, collaboration tools, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, enabling direct enterprise network access. The campaign uses bulletproof hosting and over 30 typosquatted domains registered recently, primarily targeting users in the United States and United Kingdom. No patches or official fixes are available as this is a campaign leveraging social engineering and malware delivery rather than a software vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This ongoing infostealer campaign targets software developers through SEO poisoning by impersonating AI platforms such as Gemini CLI and Claude Code, and developer tools like Node.js, Chocolatey, and KeePassXC. Attackers register numerous typosquatted domains and manipulate search engine results to direct victims to malicious installation pages. The delivered malware is a fileless PowerShell-based infostealer that executes in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests sensitive credentials including OAuth tokens, CI/CD credentials, and VPN details. These stolen credentials provide attackers with direct access to enterprise networks. The campaign infrastructure includes bulletproof hosting and focuses on users in the US and UK. There is no indication of a software vulnerability or exploit; rather, the threat relies on social engineering and malware delivery techniques.
Potential Impact
The campaign results in credential theft from targeted developers, including OAuth tokens, CI/CD credentials, and corporate VPN information. This enables attackers to gain unauthorized access to enterprise networks, potentially leading to further compromise or data exfiltration. The malware evades detection by executing filelessly and disabling Windows Defender telemetry, increasing the difficulty of detection and response.
Mitigation Recommendations
As this campaign relies on SEO poisoning and social engineering rather than a software vulnerability, no patches or official fixes exist. Organizations should educate developers about the risks of downloading software from untrusted or suspicious domains, verify URLs carefully, and use endpoint protection solutions capable of detecting fileless malware and PowerShell abuse. Monitoring for typosquatted domains and blocking access to known malicious domains can help reduce risk. Since no vendor advisory or patch is available, patch status is not applicable.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer"]
- Adversary
- null
- Pulse Id
- 6a0f06681c6ea37a99ec7d21
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainchocolatey.net | — | |
domaingemini-setup.com | — | |
domainevents.msft23.com | — | |
domainclaude-setup.com | — | |
domainapi.bio9438.com | — | |
domainolive3451.com | — | |
domaincommunity.chocolatey.net | — | |
domainget-monero.co.uk | — | |
domainevents.ms709.com | — | |
domainmetrics.msft17.com | — | |
domainwww.pinvoke.net | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333 | — | |
hash89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d | — | |
hasha1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d | — | |
hasha6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd | — | |
hashaa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad | — | |
hash64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262 | — | |
hash5c6a2c73f59fd8defbf118f87e5c88ba62e3067f8e8c0ed104f3f188fa0d959d | — | |
hashde34f2f93b74e049a08074c779a863a87a85a403594b8e220b1fba15112e6386 | — | |
hashdfd21a363f4994794f821d76ca61c834882a51b5c6f7b95627b70789462149e3 | — | |
hasha31ae1eef3261c36b465255e624fb7ac5899bf2a9823564ba792fac8346723aa | — | |
hash04f0ef18a152f892ef0c43aa7d1499cd | — | |
hash2a36e01516929b5e2c43ed3f7bb137cd | — | |
hash34a9b024da31c3c54233f7da2021ef8a | — | |
hash8e43af7bb1961e87e35cecd9c9dc39c7 | — | |
hasha7012d46ab1f5fba4ff81f442848237d | — | |
hash3269b7c555b868bce5bae7fc7b4b8a55174ec221 | — | |
hash33c8c74294cd9cece97a2158a2533e992c8310bc | — | |
hasha05aedfc0906ea392cd182cc75163cba0646d419 | — | |
hashb2b8eab958b77555160c95d89c7b5915f7d48a34 | — | |
hashe11cc0e79307a6237a6660d48988402fad6d3c6a | — | |
hash0e8c45d847f57095d9879c0da764ab02431db4d5d85f50c4fd5ba38353b79eed | — | |
hash1439d30ebeac3a6ccb9545acaa350783a83cc08746cb575e59ddb0efc77d412a | — | |
hash27e17661f5573f63b65e3a5cfe5bdca75acdc1911441b032781f7ebe125d9194 | — | |
hash2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116 | — | |
hash2d9ecc9321994558d0cc0e9d3fa9fdf600bacfe8758976d34f26f89c33bd5007 | — | |
hash5071921cb1ca369fe8f7af522a00373c8c85e4357f7ea1879d2cb4ae791797d6 | — | |
hash65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a | — | |
hash7c2a9ad5fcf489d1844f51830242f6dd9dfc203be6de3ceb07a4f6dd21c9f1a3 | — | |
hash80ffc86673bd8c8bd5862bbe961323a822b23c94df48c685162c571445552faa | — | |
hashae8f70dad97fedecd707977ca22fd6f656c64c0dac96e03f0f4a6c04d0693f59 | — | |
hashae9bc11adb457930d402844bd3bf3af8ea7c13fdb7ea269fbe73877b18af1ca8 | — | |
hashb37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754 | — | |
hashbb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f | — | |
hashbe2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16 | — | |
hashc213ce07b5791abd334ff749b5f05ecc6b40772d35ef4388b5f576bc3e619765 | — | |
hashc416052c8ac6bfb78b7f0c46c568c528ead33501149661f1d9ecb1861269f8fa | — | |
hashc47610c9df3fb101b0e99f2ac12589db653464edf12cebaa2c67fd33fc7715f3 | — | |
hashefbf87447d93f4232b1169920f75c2066d19863ebc28fb2d2662353dc4ef61d8 | — | |
hashff81cb9263fcde5870a0748fd6af2d30a4ba864415c15ca14827d0dd723eb60c | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://events.msft23.com/process | — | |
urlhttps://community.chocolatey.net/install.ps1|iex | — | |
urlhttps://geminicli.com/ | — | |
urlhttps://www.pinvoke.net/default.aspx/advapi32.credwrite | — |
Threat ID: 6a0f367de1370fbb481d26e7
Added to database: 5/21/2026, 4:44:45 PM
Last enriched: 5/21/2026, 5:00:02 PM
Last updated: 5/21/2026, 5:50:54 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.