{ "type": "URL", "indicator": "https://www.pinvoke.net/default.aspx/advapi32.credwrite", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.pinvoke.net/default.aspx/advapi32.credwrite", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4370486434, "indicator": "https://www.pinvoke.net/default.aspx/advapi32.credwrite", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a0f06681c6ea37a99ec7d21", "name": "SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver fileless PowerShell-based infostealer malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.", "modified": "2026-05-21T16:40:33.714000", "created": "2026-05-21T13:19:36.849000", "tags": [ "fileless powershell", "infostealer", "ai platform impersonation", "developer targeting", "supply chain risk", "typosquatting", "seo poisoning", "credential theft" ], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 29, "URL": 4, "domain": 5, "hostname": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1284484825661a86bd817e", "name": "SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "", "modified": "2026-05-24T04:53:28.866000", "created": "2026-05-24T04:53:28.866000", "tags": [ "fileless powershell", "infostealer", "ai platform impersonation", "developer targeting", "supply chain risk", "typosquatting", "seo poisoning", "credential theft" ], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a0f06681c6ea37a99ec7d21", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 29, "URL": 4, "domain": 5, "hostname": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer", "IOCs-MAY2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Technology" ], "unique_indicators": 54 }, "other": { "adversary": [ "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef" ], "malware_families": [], "industries": [ "Technology" ], "unique_indicators": 946 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pinvoke.net", "whois": "http://whois.domaintools.com/pinvoke.net", "domain": "pinvoke.net", "hostname": "www.pinvoke.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a0f06681c6ea37a99ec7d21", "name": "SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver fileless PowerShell-based infostealer malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.", "modified": "2026-05-21T16:40:33.714000", "created": "2026-05-21T13:19:36.849000", "tags": [ "fileless powershell", "infostealer", "ai platform impersonation", "developer targeting", "supply chain risk", "typosquatting", "seo poisoning", "credential theft" ], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 29, "URL": 4, "domain": 5, "hostname": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1284484825661a86bd817e", "name": "SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "", "modified": "2026-05-24T04:53:28.866000", "created": "2026-05-24T04:53:28.866000", "tags": [ "fileless powershell", "infostealer", "ai platform impersonation", "developer targeting", "supply chain risk", "typosquatting", "seo poisoning", "credential theft" ], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a0f06681c6ea37a99ec7d21", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 29, "URL": 4, "domain": 5, "hostname": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.pinvoke.net/default.aspx/advapi32.credwrite", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.pinvoke.net/default.aspx/advapi32.credwrite", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780212904.008075 }