SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

May 21, 2026, 4:50 p.m.

Description

Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver fileless PowerShell-based infostealer malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.

External References

https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer
https://otx.alienvault.com/pulse/6a0f06681c6ea37a99ec7d21
Tags
typosquatting
infostealer
seo poisoning
credential theft
developer targeting
2026-05-21
ai platform impersonation
fileless powershell
supply chain risk

Date

  • Created: May 21, 2026, 1:19 p.m.
  • Published: May 21, 2026, 1:19 p.m.
  • Modified: May 21, 2026, 4:50 p.m.

Indicators

  • 9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333
  • ae8f70dad97fedecd707977ca22fd6f656c64c0dac96e03f0f4a6c04d0693f59
  • a31ae1eef3261c36b465255e624fb7ac5899bf2a9823564ba792fac8346723aa
  • 2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116
  • a6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd
  • dfd21a363f4994794f821d76ca61c834882a51b5c6f7b95627b70789462149e3
  • de34f2f93b74e049a08074c779a863a87a85a403594b8e220b1fba15112e6386
  • 89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d
  • 0e8c45d847f57095d9879c0da764ab02431db4d5d85f50c4fd5ba38353b79eed
  • 2d9ecc9321994558d0cc0e9d3fa9fdf600bacfe8758976d34f26f89c33bd5007
  • c213ce07b5791abd334ff749b5f05ecc6b40772d35ef4388b5f576bc3e619765
  • ae9bc11adb457930d402844bd3bf3af8ea7c13fdb7ea269fbe73877b18af1ca8
  • c416052c8ac6bfb78b7f0c46c568c528ead33501149661f1d9ecb1861269f8fa
  • efbf87447d93f4232b1169920f75c2066d19863ebc28fb2d2662353dc4ef61d8
  • c47610c9df3fb101b0e99f2ac12589db653464edf12cebaa2c67fd33fc7715f3
  • 64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262
  • 1439d30ebeac3a6ccb9545acaa350783a83cc08746cb575e59ddb0efc77d412a
  • 65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a
  • 7c2a9ad5fcf489d1844f51830242f6dd9dfc203be6de3ceb07a4f6dd21c9f1a3
  • 27e17661f5573f63b65e3a5cfe5bdca75acdc1911441b032781f7ebe125d9194
  • b37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754
  • bb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f
  • ff81cb9263fcde5870a0748fd6af2d30a4ba864415c15ca14827d0dd723eb60c
  • 5071921cb1ca369fe8f7af522a00373c8c85e4357f7ea1879d2cb4ae791797d6
  • 80ffc86673bd8c8bd5862bbe961323a822b23c94df48c685162c571445552faa
  • a1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d
  • be2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16
  • aa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad
  • 5c6a2c73f59fd8defbf118f87e5c88ba62e3067f8e8c0ed104f3f188fa0d959d
  • www.pinvoke.net
  • http://events.msft23.com/process
  • https://geminicli.com/
  • https://www.pinvoke.net/default.aspx/advapi32.credwrite
  • https://community.chocolatey.net/install.ps1|iex
Download all indicators here!

Additional Informations

  • Technology
  • claude-setup.com
  • chocolatey.net
  • community.chocolatey.net
  • get-monero.co.uk
  • gemini-setup.com
  • api.bio9438.com
  • olive3451.com
  • events.msft23.com
  • events.ms709.com
  • metrics.msft17.com
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America