Financially motivated threat actors are exploiting AI coding assistant hype in a large-scale infostealer campaign targeting developers via SEO poisoning and typosquatted domains impersonating Gemini CLI, Claude Code, and other tools.

In brief - eCrime actors use fake AI tool installers to deploy fileless PowerShell infostealers, harvesting credentials, OAuth tokens, and VPN details from enterprise environments. The campaign poses significant supply chain risks, with stolen data enabling initial access to corporate networks.

Technically - The attack chain begins with SEO-poisoned search results leading to typosquatted domains (e.g., *-setup.com, *-cli.co.com). Victims execute a PowerShell command (irm | iex) that fetches a fileless second-stage payload, disabling ETW and AMSI for evasion. The malware extracts credentials from Windows Credential Manager, browsers (Chrome, Firefox), collaboration tools (Slack, Teams), and remote access apps (WinSCP, OpenVPN). C2 communications use endpoints like /take and /process, with data exfiltrated via encrypted channels. MITRE ATT&CK techniques include T1189 (Drive-by Compromise), T1059.001 (PowerShell), and T1555.003 (Credentials from Web Browsers).

Source: https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer

#Cybersecurity #ThreatIntel