SEO Poisoning: Threat Actors Target AI Developers via Malicious CLI Impersonation

A sophisticated SEO poisoning campaign is currently targeting the developer community, leveraging the rapid adoption of AI-driven development tools to distribute advanced infostealer malware. By impersonating high-profile command-line interfaces (CLIs) such as Gemini CLI and Claude Code, attackers are successfully intercepting developers seeking legitimate installation workflows.

First identified in early March 2026, this campaign utilizes highly optimized malicious domains designed to outrank official documentation in search engine results. When developers land on these fraudulent sites—which feature near-perfect visual replicas of trusted vendor documentation—they are prompted to execute seemingly standard PowerShell commands. In reality, these commands serve as the initial entry vector for a deep system compromise.

A detailed analysis of the campaign by EclecticIQ reveals a highly structured technical approach. For example, users searching for Gemini CLI are redirected to typosquatted domains like geminicli[.]co[.]com. The site guides users through a fake setup process, leading them to execute a PowerShell command that silently fetches a malicious script from gemini-setup[.]com.

To maintain a low forensic footprint, the malware operates primarily in-memory. This “fileless” execution strategy allows the payload to bypass traditional disk-based scanning, effectively evading standard antivirus solutions.

Impersonation of Gemini CLI installation page (Source : EclecticIQ).
Impersonation of Gemini CLI installation page (Source: EclecticIQ).

Technical Analysis: Dual-Execution and Defense Evasion

The campaign’s most deceptive element is its dual-execution methodology. While the malicious background process is initializing, the script simultaneously installs the legitimate tool (e.g., via npm). This provides immediate visual confirmation to the user that the installation was successful, masking the fact that an infostealer has already been deployed.

Parallel infrastructure has been identified targeting Anthropic’s Claude Code, utilizing domains such as claudecode[.]co[.]com and claude-setup[.]com. This pattern suggests a unified threat actor managing a broad portfolio of spoofed developer assets.

Similarities of domain names between two AI platform impersonation campaigns (Source : EclecticIQ).
Similarities of domain names between two AI platform impersonation campaigns (Source: EclecticIQ).

The malware is engineered for maximum stealth and impact. Upon execution, it attempts to disable critical Windows security mechanisms, specifically:

  • Event Tracing for Windows (ETW): To blind security monitoring and telemetry.
  • Antimalware Scan Interface (AMSI): To prevent real-time scanning of PowerShell scripts.

Once the defenses are neutralized, the infostealer begins harvesting a massive array of sensitive data, including:

  • Credentials & Sessions: Browser passwords, session cookies, and OAuth tokens.
  • Development Secrets: SSH keys and VPN configurations.
  • Enterprise Collaboration: Data from Slack, Microsoft Teams, Discord, and Zoom.
  • Financial Assets: Cryptocurrency wallet files and cloud storage directories.

Furthermore, the payload supports Remote Code Execution (RCE). This functionality allows attackers to pivot from automated data theft to interactive, “hands-on-keyboard” sessions, significantly increasing the risk of lateral movement within an enterprise network.

Impersonation of Node.js package manager (Source : EclecticIQ).
Impersonation of Node.js package manager (Source: EclecticIQ).

Infrastructure intelligence indicates that the attackers utilize “bulletproof” hosting to maintain their command-and-control (C2) nodes, such as events[.]msft23[.]com. The campaign extends beyond AI tools, with over 30 domains impersonating widely used developer utilities like Node.js, Chocolatey, and KeePassXC.

Defensive Recommendations

To mitigate the risk of infection from these SEO-driven attacks, security operations centers (SOCs) and developers should implement the following:

  • Monitor PowerShell Activity: Watch for suspicious command chaining, particularly the use of Invoke-RestMethod combined with Invoke-Expression (IEX).
  • Validate Installation Sources: Always verify the official documentation and repository URLs before executing CLI installation commands.
  • Endpoint Detection: Look for unusual outbound network connections immediately following the execution of administrative scripts.
  • Privilege Management: Limit the use of elevated privileges for routine development tasks to reduce the potential blast radius of an infection.

Indicators of Compromise (IOCs)

Domains

# Domain
1 api.bio9438[.]com
2 claudecode-install.co[.]com
3 openclow.co[.]com
4 geninicli.co[.]com
5 keepassxc.us[.]org
6 claude-code.co[.]com
7 chocolatey[.]net
8 claudecode.co[.]com
9 chocolatey-setup.co[.]com
10 get-monero.co[.]uk
11 getmonero.us[.]com
12 metrics.msft17[.]com
13 claude-setup[.]com
14 keepassxc.us[.]com
15 olive3451[.]com
16 events.ms709[.]com
17 chocolatey-download.co[.]com
18 chocolatey.co[.]com

SHA-256 Hashes

# SHA-256 Hash
1 ff81cb9263fcde5870a0748fd6af2d30a4ba864415c15ca14827d0dd723eb60c
2 9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333
3 89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d
4 be2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16
5 a1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d
6 bb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f
7 a6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd
8 b37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754
9 aa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad
10 65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a
11 64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262
12 2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116
13 5c6a2c73f59fd8defbf118f87e5c88ba62e3067f8e8c0ed104f3f188fa0d959d
14 de34f2f93b74e049a08074c779a863a87a85a403594b8e220b1fba15112e6386
15 0e8c45d847f57095d9879c0da764ab02431db4d5d85f50c4fd5ba38353b79eed
16 dfd21a363f4994794f821d76ca61c834882a51b5c6f7b95627b70789462149e3
17 a31ae1eef3261c36b465255e624fb7ac5899bf2a9823564ba792fac8346723aa
18 1439d30ebeac3a6ccb9545acaa350783a83cc08746cb575e59ddb0efc77d412a
19 7c2a9ad5fcf489d1844f51830242f6dd9dfc203be6de3ceb07a4f6dd21c9f1a3
20 80ffc86673bd8c8bd5862bbe961323a822b23c94df48c685162c571445552faa
21 c416052c8ac6bfb78b7f0c46c568c528ead33501149661f1d9ecb1861269f8fa
22 efbf87447d93f4232b1169920f75c2066d19863ebc28fb2d2662353dc4ef61d8
23 2d9ecc9321994558d0cc0e9d3fa9fdf600bacfe8758976d34f26f89c33bd5007
24 ae9bc11adb457930d402844bd3bf3af8ea7c13fdb7ea269fbe73877b18af1ca8
25 c213ce07b5791abd334ff749b5f05ecc6b40772d35ef4388b5f576bc3e619765
26 27e17661f5573f63b65e3a5cfe5bdca75acdc1911441b032781f7ebe125d9194
27 ae8f70dad97fedecd707977ca22fd6f656c64c0dac96e03f0f4a6c04d0693f59
28 c47610c9df3fb101b0e99f2ac12589db653464edf12cebaa2c67fd33fc7715f3
29 5071921cb1ca369fe8f7af522a00373c8c85e4357f7ea1879d2cb4ae791797d6

Note: Domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms.

Related Articles

Back to top button