SEO Poisoning: Threat Actors Target AI Developers via Malicious CLI Impersonation
A sophisticated SEO poisoning campaign is currently targeting the developer community, leveraging the rapid adoption of AI-driven development tools to distribute advanced infostealer malware. By impersonating high-profile command-line interfaces (CLIs) such as Gemini CLI and Claude Code, attackers are successfully intercepting developers seeking legitimate installation workflows.
First identified in early March 2026, this campaign utilizes highly optimized malicious domains designed to outrank official documentation in search engine results. When developers land on these fraudulent sites—which feature near-perfect visual replicas of trusted vendor documentation—they are prompted to execute seemingly standard PowerShell commands. In reality, these commands serve as the initial entry vector for a deep system compromise.
A detailed analysis of the campaign by EclecticIQ reveals a highly structured technical approach. For example, users searching for Gemini CLI are redirected to typosquatted domains like geminicli[.]co[.]com. The site guides users through a fake setup process, leading them to execute a PowerShell command that silently fetches a malicious script from gemini-setup[.]com.
To maintain a low forensic footprint, the malware operates primarily in-memory. This “fileless” execution strategy allows the payload to bypass traditional disk-based scanning, effectively evading standard antivirus solutions.

Technical Analysis: Dual-Execution and Defense Evasion
The campaign’s most deceptive element is its dual-execution methodology. While the malicious background process is initializing, the script simultaneously installs the legitimate tool (e.g., via npm). This provides immediate visual confirmation to the user that the installation was successful, masking the fact that an infostealer has already been deployed.
Parallel infrastructure has been identified targeting Anthropic’s Claude Code, utilizing domains such as claudecode[.]co[.]com and claude-setup[.]com. This pattern suggests a unified threat actor managing a broad portfolio of spoofed developer assets.

The malware is engineered for maximum stealth and impact. Upon execution, it attempts to disable critical Windows security mechanisms, specifically:
- Event Tracing for Windows (ETW): To blind security monitoring and telemetry.
- Antimalware Scan Interface (AMSI): To prevent real-time scanning of PowerShell scripts.
Once the defenses are neutralized, the infostealer begins harvesting a massive array of sensitive data, including:
- Credentials & Sessions: Browser passwords, session cookies, and OAuth tokens.
- Development Secrets: SSH keys and VPN configurations.
- Enterprise Collaboration: Data from Slack, Microsoft Teams, Discord, and Zoom.
- Financial Assets: Cryptocurrency wallet files and cloud storage directories.
Furthermore, the payload supports Remote Code Execution (RCE). This functionality allows attackers to pivot from automated data theft to interactive, “hands-on-keyboard” sessions, significantly increasing the risk of lateral movement within an enterprise network.

Infrastructure intelligence indicates that the attackers utilize “bulletproof” hosting to maintain their command-and-control (C2) nodes, such as events[.]msft23[.]com. The campaign extends beyond AI tools, with over 30 domains impersonating widely used developer utilities like Node.js, Chocolatey, and KeePassXC.
Defensive Recommendations
To mitigate the risk of infection from these SEO-driven attacks, security operations centers (SOCs) and developers should implement the following:
- Monitor PowerShell Activity: Watch for suspicious command chaining, particularly the use of
Invoke-RestMethodcombined withInvoke-Expression(IEX). - Validate Installation Sources: Always verify the official documentation and repository URLs before executing CLI installation commands.
- Endpoint Detection: Look for unusual outbound network connections immediately following the execution of administrative scripts.
- Privilege Management: Limit the use of elevated privileges for routine development tasks to reduce the potential blast radius of an infection.
Indicators of Compromise (IOCs)
Domains
| # | Domain |
|---|---|
| 1 | api.bio9438[.]com |
| 2 | claudecode-install.co[.]com |
| 3 | openclow.co[.]com |
| 4 | geninicli.co[.]com |
| 5 | keepassxc.us[.]org |
| 6 | claude-code.co[.]com |
| 7 | chocolatey[.]net |
| 8 | claudecode.co[.]com |
| 9 | chocolatey-setup.co[.]com |
| 10 | get-monero.co[.]uk |
| 11 | getmonero.us[.]com |
| 12 | metrics.msft17[.]com |
| 13 | claude-setup[.]com |
| 14 | keepassxc.us[.]com |
| 15 | olive3451[.]com |
| 16 | events.ms709[.]com |
| 17 | chocolatey-download.co[.]com |
| 18 | chocolatey.co[.]com |
SHA-256 Hashes
| # | SHA-256 Hash |
|---|---|
| 1 | ff81cb9263fcde5870a0748fd6af2d30a4ba864415c15ca14827d0dd723eb60c |
| 2 | 9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333 |
| 3 | 89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d |
| 4 | be2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16 |
| 5 | a1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d |
| 6 | bb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f |
| 7 | a6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd |
| 8 | b37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754 |
| 9 | aa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad |
| 10 | 65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a |
| 11 | 64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262 |
| 12 | 2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116 |
| 13 | 5c6a2c73f59fd8defbf118f87e5c88ba62e3067f8e8c0ed104f3f188fa0d959d |
| 14 | de34f2f93b74e049a08074c779a863a87a85a403594b8e220b1fba15112e6386 |
| 15 | 0e8c45d847f57095d9879c0da764ab02431db4d5d85f50c4fd5ba38353b79eed |
| 16 | dfd21a363f4994794f821d76ca61c834882a51b5c6f7b95627b70789462149e3 |
| 17 | a31ae1eef3261c36b465255e624fb7ac5899bf2a9823564ba792fac8346723aa |
| 18 | 1439d30ebeac3a6ccb9545acaa350783a83cc08746cb575e59ddb0efc77d412a |
| 19 | 7c2a9ad5fcf489d1844f51830242f6dd9dfc203be6de3ceb07a4f6dd21c9f1a3 |
| 20 | 80ffc86673bd8c8bd5862bbe961323a822b23c94df48c685162c571445552faa |
| 21 | c416052c8ac6bfb78b7f0c46c568c528ead33501149661f1d9ecb1861269f8fa |
| 22 | efbf87447d93f4232b1169920f75c2066d19863ebc28fb2d2662353dc4ef61d8 |
| 23 | 2d9ecc9321994558d0cc0e9d3fa9fdf600bacfe8758976d34f26f89c33bd5007 |
| 24 | ae9bc11adb457930d402844bd3bf3af8ea7c13fdb7ea269fbe73877b18af1ca8 |
| 25 | c213ce07b5791abd334ff749b5f05ecc6b40772d35ef4388b5f576bc3e619765 |
| 26 | 27e17661f5573f63b65e3a5cfe5bdca75acdc1911441b032781f7ebe125d9194 |
| 27 | ae8f70dad97fedecd707977ca22fd6f656c64c0dac96e03f0f4a6c04d0693f59 |
| 28 | c47610c9df3fb101b0e99f2ac12589db653464edf12cebaa2c67fd33fc7715f3 |
| 29 | 5071921cb1ca369fe8f7af522a00373c8c85e4357f7ea1879d2cb4ae791797d6 |
Note: Domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms.