← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
WHITE AlienVault 2026-05-21 Modified: 2026-05-21
54
IOCs
HIGH VOLUME
Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver fileless PowerShell-based infostealer malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.
fileless powershellinfostealerai platform impersonationdeveloper targetingsupply chain risktyposquattingseo poisoningcredential theft
Indicators of Compromise (54)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 04f0ef18a152f892ef0c43aa7d1499cd 2026-05-21
FileHash-MD5 2a36e01516929b5e2c43ed3f7bb137cd 2026-05-21
FileHash-MD5 34a9b024da31c3c54233f7da2021ef8a 2026-05-21
FileHash-MD5 8e43af7bb1961e87e35cecd9c9dc39c7 2026-05-21
FileHash-MD5 a7012d46ab1f5fba4ff81f442848237d 2026-05-21
FileHash-SHA1 3269b7c555b868bce5bae7fc7b4b8a55174ec221 2026-05-21
FileHash-SHA1 33c8c74294cd9cece97a2158a2533e992c8310bc 2026-05-21
FileHash-SHA1 a05aedfc0906ea392cd182cc75163cba0646d419 2026-05-21
FileHash-SHA1 b2b8eab958b77555160c95d89c7b5915f7d48a34 2026-05-21
FileHash-SHA1 e11cc0e79307a6237a6660d48988402fad6d3c6a 2026-05-21
FileHash-SHA256 0e8c45d847f57095d9879c0da764ab02431db4d5d85f50c4fd5ba38353b79eed 2026-05-21
FileHash-SHA256 1439d30ebeac3a6ccb9545acaa350783a83cc08746cb575e59ddb0efc77d412a 2026-05-21
FileHash-SHA256 27e17661f5573f63b65e3a5cfe5bdca75acdc1911441b032781f7ebe125d9194 2026-05-21
FileHash-SHA256 2d7a94e4a0fedcf31cdd43b06222add9d1888fecb2c5488afc658d08c3f40116 2026-05-21
FileHash-SHA256 2d9ecc9321994558d0cc0e9d3fa9fdf600bacfe8758976d34f26f89c33bd5007 2026-05-21
FileHash-SHA256 5071921cb1ca369fe8f7af522a00373c8c85e4357f7ea1879d2cb4ae791797d6 2026-05-21
FileHash-SHA256 5c6a2c73f59fd8defbf118f87e5c88ba62e3067f8e8c0ed104f3f188fa0d959d 2026-05-21
FileHash-SHA256 64d2a9a49e27d89f1b3489d7db29c3a3a12b4b090f59c24b694c239cb55db262 2026-05-21
FileHash-SHA256 65e1a542bb7d995cc4aa6c71191da125f14f99ca03da7266f5b071440d6d229a 2026-05-21
FileHash-SHA256 7c2a9ad5fcf489d1844f51830242f6dd9dfc203be6de3ceb07a4f6dd21c9f1a3 2026-05-21
FileHash-SHA256 80ffc86673bd8c8bd5862bbe961323a822b23c94df48c685162c571445552faa 2026-05-21
FileHash-SHA256 89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d 2026-05-21
FileHash-SHA256 9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333 2026-05-21
FileHash-SHA256 a1c5e1d9bdc1a931c11ac6fdfdff1fbc69ff88521cf443cb174f9720a05fe72d 2026-05-21
FileHash-SHA256 a31ae1eef3261c36b465255e624fb7ac5899bf2a9823564ba792fac8346723aa 2026-05-21
FileHash-SHA256 a6525b37b0cc5339df375e17a0c10772b50c9d425001b0c3a9dada995c7f62dd 2026-05-21
FileHash-SHA256 aa350580ae5ea46544ffa15c324ab4225dff0dcc5842ac5ca8e2dc4018e5ffad 2026-05-21
FileHash-SHA256 ae8f70dad97fedecd707977ca22fd6f656c64c0dac96e03f0f4a6c04d0693f59 2026-05-21
FileHash-SHA256 ae9bc11adb457930d402844bd3bf3af8ea7c13fdb7ea269fbe73877b18af1ca8 2026-05-21
FileHash-SHA256 b37ee243518221017bab0eb4b54b5431571cc21e54113698ce49a89b89993754 2026-05-21
FileHash-SHA256 bb78f024c4d8b5a6a128aacb498acad025a234a6b25fde36ff2e14601134555f 2026-05-21
FileHash-SHA256 be2ff065a232a3a6f187f9fb03a6c1b368dff3d2ba0966777b1f5503aa5ecd16 2026-05-21
FileHash-SHA256 c213ce07b5791abd334ff749b5f05ecc6b40772d35ef4388b5f576bc3e619765 2026-05-21
FileHash-SHA256 c416052c8ac6bfb78b7f0c46c568c528ead33501149661f1d9ecb1861269f8fa 2026-05-21
FileHash-SHA256 c47610c9df3fb101b0e99f2ac12589db653464edf12cebaa2c67fd33fc7715f3 2026-05-21
FileHash-SHA256 de34f2f93b74e049a08074c779a863a87a85a403594b8e220b1fba15112e6386 2026-05-21
FileHash-SHA256 dfd21a363f4994794f821d76ca61c834882a51b5c6f7b95627b70789462149e3 2026-05-21
FileHash-SHA256 efbf87447d93f4232b1169920f75c2066d19863ebc28fb2d2662353dc4ef61d8 2026-05-21
FileHash-SHA256 ff81cb9263fcde5870a0748fd6af2d30a4ba864415c15ca14827d0dd723eb60c 2026-05-21
URL http://events.msft23.com/process 2026-05-21
URL https://community.chocolatey.net/install.ps1|iex 2026-05-21
URL https://geminicli.com/ 2026-05-21
URL https://www.pinvoke.net/default.aspx/advapi32.credwrite 2026-05-21
domain chocolatey.net 2026-05-21
domain claude-setup.com 2026-05-21
domain gemini-setup.com 2026-05-21
domain get-monero.co.uk 2026-05-21
domain olive3451.com 2026-05-21
hostname api.bio9438.com 2026-05-21
hostname community.chocolatey.net 2026-05-21
hostname events.ms709.com 2026-05-21
hostname events.msft23.com 2026-05-21
hostname metrics.msft17.com 2026-05-21
hostname www.pinvoke.net 2026-05-21
References (1)
↗ https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer