{ "type": "Domain", "indicator": "olive3451.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/olive3451.com", "alexa": "http://www.alexa.com/siteinfo/olive3451.com", "indicator": "olive3451.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4332222598, "indicator": "olive3451.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a0f06681c6ea37a99ec7d21", "name": "SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver fileless PowerShell-based infostealer malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.", "modified": "2026-05-21T16:40:33.714000", "created": "2026-05-21T13:19:36.849000", "tags": [ "fileless powershell", "infostealer", "ai platform impersonation", "developer targeting", "supply chain risk", "typosquatting", "seo poisoning", "credential theft" ], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 29, "URL": 4, "domain": 5, "hostname": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386255, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1284484825661a86bd817e", "name": "SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "", "modified": "2026-05-24T04:53:28.866000", "created": "2026-05-24T04:53:28.866000", "tags": [ "fileless powershell", "infostealer", "ai platform impersonation", "developer targeting", "supply chain risk", "typosquatting", "seo poisoning", "credential theft" ], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a0f06681c6ea37a99ec7d21", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 29, "URL": 4, "domain": 5, "hostname": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a123407891a0247298ffc64", "name": "SEO Poisoning Infostealer Campaign via Gemini CLI and Claude Code", "description": "", "modified": "2026-05-23T23:11:03.794000", "created": "2026-05-23T23:11:03.794000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "hostname": 4, "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 28 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fb94289183b56bac9e75a", "name": "IOC - SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "The Gemini CLI impersonation campaign was first publicly identified by independent threat researcher @g0njxa [1], whose initial discovery enabled analysis and infrastructure pivoting documented in this report. The infection chain begins with a Google search by a developer looking for the official Gemini CLI [2] or Claude Code [3] installation page. Threat actors use SEO poisoning to surface a fake domain at the top of search results, above the legitimate source. The victim clicks through, lands on a malicious page visually consistent with a genuine vendor installation guide and is prompted to execute a single command to complete the install.", "modified": "2026-05-22T02:02:42.071000", "created": "2026-05-22T02:02:42.071000", "tags": [], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 29, "domain": 5, "hostname": 3 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f01339b5612a6f8ba606ab", "name": "Twitter Feed - g0njxa - 27-04-2026", "description": "", "modified": "2026-04-28T01:54:01.457000", "created": "2026-04-28T01:54:01.457000", "tags": [], "references": [ "https://x.com/g0njxa/status/2048832122618847252" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3, "URL": 5, "domain": 2 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs-MAY2.csv", "https://x.com/g0njxa/status/2048832122618847252", "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Technology" ] }, "other": { "adversary": [ "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef" ], "malware_families": [], "industries": [ "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a0f06681c6ea37a99ec7d21", "name": "SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver fileless PowerShell-based infostealer malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.", "modified": "2026-05-21T16:40:33.714000", "created": "2026-05-21T13:19:36.849000", "tags": [ "fileless powershell", "infostealer", "ai platform impersonation", "developer targeting", "supply chain risk", "typosquatting", "seo poisoning", "credential theft" ], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 29, "URL": 4, "domain": 5, "hostname": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386255, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1284484825661a86bd817e", "name": "SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "", "modified": "2026-05-24T04:53:28.866000", "created": "2026-05-24T04:53:28.866000", "tags": [ "fileless powershell", "infostealer", "ai platform impersonation", "developer targeting", "supply chain risk", "typosquatting", "seo poisoning", "credential theft" ], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a0f06681c6ea37a99ec7d21", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 29, "URL": 4, "domain": 5, "hostname": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a123407891a0247298ffc64", "name": "SEO Poisoning Infostealer Campaign via Gemini CLI and Claude Code", "description": "", "modified": "2026-05-23T23:11:03.794000", "created": "2026-05-23T23:11:03.794000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "hostname": 4, "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 28 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fb94289183b56bac9e75a", "name": "IOC - SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer", "description": "The Gemini CLI impersonation campaign was first publicly identified by independent threat researcher @g0njxa [1], whose initial discovery enabled analysis and infrastructure pivoting documented in this report. The infection chain begins with a Google search by a developer looking for the official Gemini CLI [2] or Claude Code [3] installation page. Threat actors use SEO poisoning to surface a fake domain at the top of search results, above the legitimate source. The victim clicks through, lands on a malicious page visually consistent with a genuine vendor installation guide and is prompted to execute a single command to complete the install.", "modified": "2026-05-22T02:02:42.071000", "created": "2026-05-22T02:02:42.071000", "tags": [], "references": [ "https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 29, "domain": 5, "hostname": 3 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f01339b5612a6f8ba606ab", "name": "Twitter Feed - g0njxa - 27-04-2026", "description": "", "modified": "2026-04-28T01:54:01.457000", "created": "2026-04-28T01:54:01.457000", "tags": [], "references": [ "https://x.com/g0njxa/status/2048832122618847252" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3, "URL": 5, "domain": 2 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "type": "Domain", "indicator": "olive3451.com", "stats": { "malicious": 15, "suspicious": 3, "harmless": 42, "undetected": 31, "total": 91, "verdict": "malicious", "ratio": "15/91" }, "verdict": "malicious", "ratio": "15/91", "registrar": "", "creation_date": 1776902400, "reputation": -1, "tags": [], "categories": {}, "top_detections": [ { "vendor": "ADMINUSLabs", "result": "malicious", "category": "malicious" }, { "vendor": "BitDefender", "result": "malware", "category": "malicious" }, { "vendor": "CRDF", "result": "malicious", "category": "malicious" }, { "vendor": "Certego", "result": "malicious", "category": "malicious" }, { "vendor": "Chong Lua Dao", "result": "malicious", "category": "malicious" }, { "vendor": "CyRadar", "result": "malware", "category": "malicious" }, { "vendor": "ESET", "result": "suspicious", "category": "suspicious" }, { "vendor": "Emsisoft", "result": "malware", "category": "malicious" }, { "vendor": "Fortinet", "result": "malware", "category": "malicious" }, { "vendor": "G-Data", "result": "malware", "category": "malicious" } ], "last_analysis": 1780020063, "error": null }, "abuseipdb": null, "urlhaus": { "indicator": "olive3451.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780057276.8226423 }