Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
Summary
Hide ▲
Show ▼
Cyber threat actors ran a malicious SEO-poisoning campaign that impersonated Google Gemini CLI and Anthropic Claude Code to push malicious downloads. The operation appears to have started in early March 2026 and was assessed to target users in the US and UK. Victims were steered to fake installation pages and prompted to run PowerShell commands that fetched an infostealer. The activity matters because it harvested credentials and sensitive data from Windows endpoints and exfiltrated them to attacker-controlled C2 infrastructure.
Related Happenings
DriveSurge as an initial access broker on a pay-per-install model
Threat Actor Meta
H score41
First: 02.06.2026 01:14
Last: 02.06.2026 01:14
Sources 1
About this happening:
DriveSurge has shifted into an **initial access broker** role built around a **pay-per-install (PPI)** model, expanding monetized access delivery and increasing downstream intrusi...
DriveSurge as an initial access broker on a pay-per-install model
Threat Actor MetaAbout this happening: DriveSurge has shifted into an **initial access broker** role built around a **pay-per-install (PPI)** model, expanding monetized access delivery and increasing downstream intrusi...
Fake Claude Code installation-page infostealer campaign targeting developers
Campaign
H score33
First: 11.05.2026 17:00
Last: 11.05.2026 17:00
Sources 1
About this happening:
A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Fake Claude Code installation-page infostealer campaign targeting developers
CampaignAbout this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
H score38
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Silver Fox South Asia phishing campaign
Campaign
H score34
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
H score34
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Timeline
-
22.05.2026 14:30 2 articles · 1mo ago
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Initial DisclosureIn **early March 2026**, the operation began registering and deploying fake install domains that impersonated **Gemini CLI** and later **Claude Code**. The initial phase focused on building lure infrastructure and pushing the spoofed pages into search results.
Show sources
- Fake Gemini and Claude Code Sites Spread Infostealers Through SEO Poisoning — www.infosecurity-magazine.com — 22.05.2026 14:30
- Fake Gemini and Claude Code Sites Spread Infostealers Through SEO Poisoning — www.infosecurity-magazine.com — 22.05.2026 14:30