Hackers Use SEO Poisoning to Impersonate Gemini CLI and Claude Code Installers

HomeCyber Security News Hackers Use SEO Poisoning to Impersonate Gemini CLI and Claude Code Installers By Tushar Subhra Dutta May 26, 2026 Hackers are targeting software developers by creating fake installation pages for two popular AI coding tools, Gemini CLI and Claude Code. The attackers are using a technique called SEO poisoning to push their malicious websites above real ones in search results, tricking developers into running dangerous commands on their own machines. The campaign began surfacing in early March 2026 and has expanded beyond AI tools. Victims are lured to fake pages nearly identical to official installation guides, where they paste a single PowerShell command into their terminal. That one action quietly deploys a powerful infostealer capable of draining credentials, session tokens, and sensitive files. EclecticIQ analysts identified this ongoing campaign and found that the malware runs entirely in memory through PowerShell, leaving no files on disk.  EclecticIQ said in a report shared with Cyber Security News (CSN) that the infostealer harvests credentials from a wide range of applications before exfiltrating the results in encrypted form to a command-and-control server. The stolen data includes OAuth tokens, CI/CD credentials, corporate VPN details, and session cookies from platforms like Slack, Microsoft Teams, Discord, and Telegram. A valid session cookie lets an attacker step directly into a victim’s workspace, bypassing both passwords and multi-factor authentication. This access fuels demand in underground access broker markets. Beyond credential theft, the malware gives attackers the ability to run additional code on infected machines remotely. While no persistence mechanism was found in the script, this capability means operators can follow up with deeper intrusions, turning a single developer workstation into an enterprise-wide breach. Hackers Use SEO Poisoning The infection chain is simple but effective. A developer searches for how to install Gemini CLI or Claude Code, and the top result looks exactly like the official page. In the Gemini campaign, victims were directed to geminicli[.]co[.]com, which prompted a PowerShell command that silently downloads an infostealer payload called Install.ps1 from gemini-setup[.]com. Impersonation of Gemini CLI installation page (Source – EclecticIQ) What makes this trick so convincing is that the real Gemini CLI installs in parallel. The genuine npm package completes in the terminal, giving users every reason to believe nothing went wrong. By the time the tool is ready, the infostealer has already finished collecting and sending the victim’s data. Malicious instruction used to deliver infostealer downloader (Source – EclecticIQ) The Claude Code campaign followed the same playbook. On March 30, 2026, the threat actor registered claudecode[.]co[.]com and claude-setup[.]com using identical naming patterns. The cloned page matched official documentation closely enough to deceive most users, and exfiltrated data was sent to events[.]ms709[.]com. Similarities of domain names between two AI platform impersonation campaigns (Source – EclecticIQ) EclecticIQ analysts pivoted from those domains using passive DNS records and uncovered a cluster of over 30 malicious domains also impersonating Node.js, Chocolatey, KeePassXC, and Monero. Most were registered between late March and early April 2026, pointing to a coordinated, active campaign. Fileless PowerShell Stealer Built to Evade Detection Once the second-stage payload runs, it immediately disables core Windows defenses. It patches Event Tracing for Windows to suppress logging and bypasses the Antimalware Scan Interface, letting the rest of the script run undetected. Final PowerShell infostealer disabling ETW (Source – EclecticIQ) The script spans roughly 6,800 lines of junk code and includes a sandbox check to avoid analysis environments. The stealer loads three C# components at runtime to probe deep into the host. One dumps Windows Credential Manager entries, another captures screen resolution for fingerprinting, and a third lists running processes through the Restart Manager API to sidestep detection. De-obfuscated C2 server and staging URL paths embedded in the PowerShell script (Source – EclecticIQ) Everything runs inside PowerShell without writing a single file to disk. To defend against this threat, EclecticIQ recommends hunting for the irm | iex pattern in command-line logs and alerting on hidden PowerShell executions. Enforcing PowerShell Constrained Language Mode, using FIDO keys for privileged accounts, and deploying short-lived OAuth tokens can meaningfully limit the damage if credentials are stolen.  Indicators of Compromise (IoCs):- Type Indicator Description Domain geminicli[.]co[.]com Fake Gemini CLI installation page Domain gemini-setup[.]com Hosts infostealer downloader payload (Install.ps1) Domain claudecode[.]co[.]com Fake Claude Code installation page Domain claude-setup[.]com Hosts Claude Code infostealer payload Domain events[.]msft23[.]com C2 server for Gemini CLI campaign Domain events[.]ms709[.]com C2 server for Claude Code campaign Domain api[.]bio9438[.]com Attacker-controlled infrastructure Domain claudecode-install[.]co[.]com Attacker-controlled domain Domain openclow[.]co[.]com Attacker-controlled domain Domain geninicli[.]co[.]com Attacker-controlled domain (typosquat) Domain keepassxc[.]us[.]org Fake KeePassXC impersonation domain Domain claude-code[.]co[.]com Attacker-controlled domain Domain chocolatey[.]net Attacker-controlled Chocolatey impersonation Domain chocolatey-setup[.]co[.]com Fake Chocolatey installation page Domain get-monero[.]co[.]uk Fake Monero impersonation domain Domain getmonero[.]us[.]com Fake Monero impersonation domain Domain metrics[.]msft17[.]com Attacker-controlled infrastructure Domain claude-setup[.]com Payload staging domain Domain keepassxc[.]us[.]com Fake KeePassXC impersonation domain Domain olive3451[.]com Attacker-controlled domain Domain chocolatey-download[.]co[.]com Fake Chocolatey download domain Domain chocolatey[.]co[.]com Fake Chocolatey impersonation domain IP Address 109.107.170[.]111 Netherlands-based bulletproof hosting (MIRhosting) SHA-256 ff81cb9263fcde5870a0748fd6af2d30a4ba864415c15ca14827d0dd723eb60c Infostealer payload hash SHA-256 9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333 Infostealer payload hash SHA-256 89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d Infostealer payload hash SHA-256 be2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16 Infostealer payload hash SHA-256 a1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d Infostealer payload hash SHA-256 bb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f Infostealer payload hash SHA-256 a6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd Infostealer payload hash SHA-256 b37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754 Infostealer payload hash SHA-256 aa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad Infostealer payload hash SHA-256 65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a Infostealer payload hash SHA-256 64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262 Infostealer payload hash SHA-256 2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116 Infostealer payload hash File Name Install.ps1 First-stage infostealer downloader PowerShell script Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Anthropic’s Restricted Claude Mythos Moves Toward Public Release via Claude Code and Security Critical Memcached SASL Vulnerability Let Attackers Infer Valid Usernames GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure Two U.S. Executives Plead Guilty in India-Based Tech-Support Fraud Schemes Phishing Services Use RCS and iMessage to Bypass Traditional SMS Security Filters Latest News Cyber Security News Apache CXF LDAP Injection Vulnerability Let Attacker Retrieve Arbitrary Certificates Cyber Security News ConnectWise Automate Vulnerability Let Attackers Bypass Security Checks Cyber Security News EU Finalizes Record DMA Fine Against Google Over Search Self-Preferencing Abuse Cyber Security News Phishing Services Use RCS and iMessage to Bypass Traditional SMS Security Filters Cyber Security News Payload Ransomware Uses ChaCha20 and Curve25519 ECDH to Encrypt Windows Files