“The stealer's collection scope reveals a deliberate focus on enterprise users and developer workstations,” EclecticIQ researchers wrote — a concise verdict that frames a brief but potent campaign of imitation, SEO manipulation and in-memory malware delivery aimed at developers and corporate users.
EclecticIQ's timeline and attribution
Security researchers at EclecticIQ investigated an impersonation campaign after an independent researcher known as @g0njxa flagged activity on X on April 21, 2026. EclecticIQ's analysis found the threat actor began deploying malicious domains in early March 2026 and registered additional impersonating domains for Anthropic’s Claude Code on March 30. EclecticIQ published its findings in a May 21 report. The technical overlaps between the Gemini and Claude chains led EclecticIQ to assess that a single actor likely operated both campaigns.
SEO poisoning and targeted domain choices
The attackers used search-engine optimization (SEO) poisoning to push fake installation pages above legitimate results, directing victims to attacker-controlled infrastructure that mimicked genuine AI-agent installation documentation. EclecticIQ assessed the campaign was likely tailored to users in the US and the UK, noting the use of .co.uk, .us.com and .us.org top-level domains among attacker-controlled names. The Gemini impersonation routed victims to geminicli[.]co[.]com and gemini-setup[.]com; the Claude impersonation used claudecode[.]co[.]com and claude-setup[.]com.
Infostealer capabilities and specific targets
The payload delivered by both chains is an information-stealing program that runs entirely in memory via PowerShell on Windows endpoints and transmits results in encrypted form to attacker command-and-control servers. EclecticIQ cataloged a broad collection surface that concentrates on developer workstations and enterprise endpoints:
- Chromium-family browsers (Chrome, Edge, Brave) and Firefox: login credentials, session cookies, autofill data and form history.
- Collaboration and communications platforms: Slack (local state key and network cookies), Microsoft Teams (EBWebView cache cookies under LocalAppData and DPAPI-protected local state decryption), Discord (LevelDB local storage and local state), Mattermost, Zoom (DPAPI-protected win_osencrypt_key from Zoom.us.ini), Telegram Desktop (tdata session directory), LiveChat, Notion, and Zoho Mail Desktop.
- Remote access tooling and VPN configuration (including OpenVPN), cryptocurrency wallet data (Brave Wallet preferences and Spectre wallet), and cloud storage metadata and files (Proton Drive, iCloud Drive, Google Drive, MEGA, OneDrive).
- User files, system metadata and the ability to execute arbitrary remote code on the compromised host.
EclecticIQ emphasized that “a session cookie or a local state key from any of these platforms grants authenticated access to the victim's workspace, including internal channels, shared files, client communications and connected integrations.” That authenticated access, combined with remote code execution, creates opportunity for follow-on, hands-on-keyboard intrusions according to the report.
Gemini CLI and Claude Code attack chains — how victims were lured
Both campaigns used the same social-engineering vector: cloned installation documentation that prompts users to copy and paste a PowerShell command into a terminal. For the Gemini CLI impersonation, victims who visited geminicli[.]co[.]com were presented with an installation instruction and a copy-paste PowerShell command that downloaded a downloader payload from gemini-setup[.]com; the infostealer then sent exfiltrated data to events[.]msft23[.]com. In the Claude Code impersonation, claudecode[.]co[.]com displayed a cloned installation page and fetched the final payload from claude-setup[.]com; exfiltrated data was routed to events[.]ms709[.]com. The mirrored structure and matching techniques across the two chains were a central factor in EclecticIQ's assessment of shared authorship.
What this means for enterprise users, developers, and security teams
- Developers and end users: The lure centered on developer tooling — command-line installation of AI tools — and relied on copy-paste execution. Users who follow installation snippets from search results rather than verified vendor documentation risk executing in-memory PowerShell payloads that harvest session tokens and credentials.
- Enterprise security teams: The campaign's use of SEO poisoning and geographically suggestive TLD choices (.co.uk, .us.com, .us.org) means incident responders should correlate unusual search-result traffic and look for downloads from the listed domains and the C2 hosts events[.]msft23[.]com and events[.]ms709[.]com.
- IT administrators and procurement leads: Because the stealer targets collaboration platforms and cloud-storage clients common in corporate environments, compromised cookies or local state keys can expose internal communications, shared files and third-party integrations — elevating what begins as a workstation compromise to a potential lateral-access risk.
The campaign combines two straightforward elements — trusted-looking installation pages and a PowerShell in-memory payload — to bridge from casual search traffic to high-value credential theft. Early March domain registrations, an April 21 public flag by @g0njxa and EclecticIQ’s May 21 reporting provide a compact timeline; the twin chains’ mirrored mechanics and shared objectives leave a clear question: will search-result manipulation and cloned installer pages remain an effective vector for attackers seeking enterprise session tokens and developer workstation access? The answer will depend on how quickly detection and user practices adapt to this specific mash-up of SEO poisoning and in-memory PowerShell theft.
Original reporting: https://www.infosecurity-magazine.com/news/gemini-claude-infostealers-seo/




