Fake Gemini and Claude AI Tool Sites Used to Deliver Infostealer Malware

Researchers at EclecticIQ have uncovered a phishing campaign using fake installation sites for Google Gemini CLI and Anthropic Claude Code to distribute infostealer malware through SEO poisoning. The attackers created convincing clone websites that trick users into executing malicious PowerShell commands, leading to in-memory malware infections capable of stealing credentials, session cookies, cryptocurrency wallet data, cloud storage information, and communications platform access tokens. The malware specifically targets enterprise and developer environments by harvesting data from browsers, Slack, Microsoft Teams, Discord, Zoom, Telegram, and remote access tools before exfiltrating the information to attacker-controlled servers. Researchers believe both the Gemini and Claude impersonation campaigns are linked to the same threat actor due to similarities in infrastructure, payload delivery, and attack techniques.

Reference: infosecurity-magazine.com