216.73.217.139

SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

· Published 21/05/2026 13:19 · Modified 21/05/2026 16:50

Export JSON

Essential information

Published
21/05/2026 13:19
Modified
21/05/2026 16:50
Tags
2026-05-21 ai platform impersonation credential-theft developer-targeting fileless powershell infostealer seo poisoning supply chain risk typosquatting
Related entities
34 observables, 13 others

Description

Financially motivated eCrime actors are conducting an ongoing campaign targeting software developers through techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver -based malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.

External references