Fake Gemini and Claude Code Sites Spread Infostealers Through SEO Poisoning
AI-summarised brief · reviewed before publication
Security researchers at EclecticIQ identified a malicious campaign deploying fake websites impersonating Google Gemini and Anthropic’s Claude Code to distribute information-stealing malware. Initially flagged by researcher @g0njxa on April 21, the campaign began in early March 2026, targeting users in the US and UK via tailored domains. Attackers used SEO poisoning to rank these fraudulent sites above legitimate results. The malware executes in memory via PowerShell on Windows endpoints, harvesting credentials from browsers, collaboration tools like Slack and Teams, and cloud storage services. It exfiltrates encrypted data to command-and-control servers, granting attackers authenticated access to corporate workspaces, internal communications, and sensitive files. The operation specifically exploits developer trust in AI coding assistants, leveraging their installation processes to compromise enterprise environments and remote access configurations.
💡 Why It Matters
- · This campaign exploits the rapid adoption of AI coding assistants, turning trusted developer tools into high-value entry points for corporate espionage.
- · By targeting specific enterprise communication platforms, attackers bypass traditional perimeter defenses to access sensitive internal data directly.