Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

Cyber threat actors ran a malicious SEO-poisoning campaign that impersonated Google Gemini CLI and Anthropic Claude Code to push malicious downloads. The operation appears to have started in early March 2026 and was assessed to target users in the US and UK. Victims were steered to fake installation pages and prompted to run PowerShell commands that fetched an infostealer. The activity matters because it harvested credentials and sensitive data from Windows endpoints and exfiltrated them to attacker-controlled C2 infrastructure.

Related Happenings

Fake Claude Code installation-page infostealer campaign targeting developers

Campaign
First: 11.05.2026 17:00 Last: 11.05.2026 17:00 Sources 1

About this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...

Open Happening

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

Silver Fox South Asia phishing campaign

Campaign
First: 24.03.2026 18:00 Last: 24.03.2026 18:00 Sources 1

About this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...

Open Happening

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Open Happening

OpenClaw fake installer GitHub campaign promoted by Bing AI

Campaign
First: 06.03.2026 00:37 Last: 06.03.2026 00:37 Sources 1

About this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...

Latest development: 09.03.2026 20:31

A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.

Open Happening

Timeline

  1. 22.05.2026 14:30 2 articles · 5d ago

    Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

    Initial Disclosure

    In **early March 2026**, the operation began registering and deploying fake install domains that impersonated **Gemini CLI** and later **Claude Code**. The initial phase focused on building lure infrastructure and pushing the spoofed pages into search results.

    Show sources
    Open in new tab