Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

Cyber threat actors ran a malicious SEO-poisoning campaign that impersonated Google Gemini CLI and Anthropic Claude Code to push malicious downloads. The operation appears to have started in early March 2026 and was assessed to target users in the US and UK. Victims were steered to fake installation pages and prompted to run PowerShell commands that fetched an infostealer. The activity matters because it harvested credentials and sensitive data from Windows endpoints and exfiltrated them to attacker-controlled C2 infrastructure.

Related Happenings

DriveSurge as an initial access broker on a pay-per-install model

Threat Actor Meta
H score41 First: 02.06.2026 01:14 Last: 02.06.2026 01:14 Sources 1

About this happening: DriveSurge has shifted into an **initial access broker** role built around a **pay-per-install (PPI)** model, expanding monetized access delivery and increasing downstream intrusi...

Fake Claude Code installation-page infostealer campaign targeting developers

Campaign
H score33 First: 11.05.2026 17:00 Last: 11.05.2026 17:00 Sources 1

About this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
H score38 First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Silver Fox South Asia phishing campaign

Campaign
H score34 First: 24.03.2026 18:00 Last: 24.03.2026 18:00 Sources 1

About this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
H score34 First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Timeline

  1. 22.05.2026 14:30 2 articles · 1mo ago

    Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

    Initial Disclosure

    In **early March 2026**, the operation began registering and deploying fake install domains that impersonated **Gemini CLI** and later **Claude Code**. The initial phase focused on building lure infrastructure and pushing the spoofed pages into search results.

    Show sources