Financial Threat Actors Target AI Developers with Sophisticated Infostealer Campaign
In a concerning turn of events, a group of financially motivated threat actors has launched an active campaign, targeting developer workstations worldwide by impersonating Google’s Gemini Command Line Interface (CLI) and Anthropic’s Claude Code. This initiative employs SEO poisoning techniques to distribute a fileless PowerShell infostealer, marking a significant escalation in supply-chain-focused eCrime specifically aimed at artificial intelligence (AI) developer tooling.
The campaign was first identified by researchers from EclecticIQ in early March 2026, reflecting a calculated expansion in tactics for infiltrating developer environments. Using a routine web search, unsuspecting victims are lured to sites masquerading as legitimate platforms, where a robust suite of black-hat SEO strategies come into play. These include keyword stuffing, the establishment of private link networks, and artificial inflation of click metrics to elevate attacker-controlled domains in search engine results, often above those of legitimate vendors.
When developers searching for “Gemini CLI” inadvertently navigate to the illegitimate domain geminicli[.]co[.]com, they find themselves victims of a sophisticated subterfuge. Simultaneously, users looking for Claude Code are rerouted to claudecode[.]co[.]com. The attackers have registered these domains to appear credible, leveraging the .co.com suffix to present a façade of authenticity.
Another overlap emerges in a separate campaign identified by researchers as InstallFix, which disseminates a similar array of deceptive installation pages through Google Ads. This method ensures that the attackers pay to get their pages displayed prominently in search results, further enhancing the likelihood of developer encounters with their malicious sites.
EclecticIQ researchers have confirmed that this alarming trend has impacted various sectors, including government, electronics, education, and food and beverage industries across multiple regions, including the Americas, Asia-Pacific, Europe, and AMEA.
The social engineering aspect of this attack is notably simple yet effective. Victims are presented with visually cloned installation pages that prompt them to copy and paste a single PowerShell command into their terminals. This method’s success lies in the initial stage’s script, which executes two functions concurrently. As a concealed Shell.Application COM object silently retrieves and executes a second-stage infostealer from gemini-setup[.]c[.]com through the command “irm | iex,” the same script simultaneously runs the legitimate command npm install -g @google/gemini-cli in the visible terminal, creating the illusion that the developer is engaging with a safe process.
For those attempting to install the Claude Code variant, monitoring from EclecticIQ has revealed that the malicious payload employs mshta.exe to target download-version[.]1-5-8[.]com. This retrieves a ZIP/HTA polyglot file containing genuine Microsoft Bing packages paired with a harmful HTA payload in a dual-format configuration designed to elude detection mechanisms.
Once active, the PowerShell payload goes to work immediately, disabling Event Tracing for Windows (ETW) and bypassing the Antimalware Scan Interface (AMSI) prior to executing its data collection activities. With a complex obfuscated script that spans roughly 6,800 lines, it seeks out a wide array of sensitive information. This data collection includes credentials from web browsers such as Chrome, Edge, Brave, and Firefox, as well as session tokens from popular collaboration platforms like Slack, Teams, Discord, Zoom, and Telegram. The infostealer is also capable of extracting configurations from tools such as WinSCP, PuTTY, and OpenVPN, alongside OAuth tokens, SSH keys, and CI/CD credentials, creating a vast reservoir of exploitable data.
Stolen session cookies from collaborative platforms enable attackers to bypass multifactor authentication (MFA), significantly increasing the value of the accessed information within access broker markets.
In their investigative efforts, researchers at EclecticIQ conducted passive DNS pivots from the campaign’s secured host at 109.107.170[.]111, which is based in the Netherlands. This investigation unearthed a cluster of over 30 domains that similarly masquerade as Node.js, Chocolatey, KeePassXC, and Monero, showcasing the threat actors’ strategy of rotating lure brands and command-and-control (C2) hostnames.
The campaign appears to have a substantial focus on the United States and United Kingdom, as indicated by the observed patterns of TLDs such as .us.com, .us.org, and .co.uk.
Indicators of Compromise and Recommendations
The threat landscape posed by these recent incidents suggests that security teams must take proactive measures to detect and mitigate risks associated with this type of attack. Indicators of compromise include domains such as geminicli[.]co[.]com, gemini-setup[.]com, claudecode[.]co[.]com, and several others listed by researchers.
Organizations are urged to hunt for downloading patterns associated with irm | iex in command-line telemetry and to set alerts for instances of powershell.exe that are spawned with the -WindowStyle Hidden parameter. Applying PowerShell Constrained Language Mode via Windows Defender Application Control (WDAC) or AppLocker is critical, as is the deployment of FIDO2 security keys for privileged developer accounts.
Additionally, configuring browser policies to prevent clipboard write access on untrusted sites and enforcing awareness training focusing on the risks of paste-and-execute social engineering techniques can provide immediate and effective control against these sophisticated forms of cyber attack.
As these cybersecurity threats continue to evolve, vigilance and robust security practices will be paramount for developers engaging with AI tooling and beyond.