Cybercriminals are using fake websites for popular Artificial Intelligence (AI) tools to trick software developers into downloading data-stealing malware. The issue was first spotted on 21 April 2026 by an independent security researcher known as @g0njxa on X (formerly Twitter).
Following this discovery, on 21 May 2026, the security research firm EclecticIQ released a full report showing that a single, financially motivated threat actor had been setting up malicious domains since early March 2026. This campaign specifically targets developers in the US and the UK by exploiting their trust in new AI utilities.
The Search Engine Trap
This attack involves using SEO poisoning to push fake installation pages to the top of Google search results so that developers searching for tools like the Google Gemini Command Line Interface (CLI) or Anthropic’s Claude Code end up on typosquatted domains like geminicli.co.com and claudecode.co.com. These domains perfectly copy official vendor documentation.
When a user visits the fake Gemini page, they are told to copy and paste a PowerShell command into their terminal. This command contacts gemini-setup.com and downloads a malicious script named start.ps1.
In a clever move to avoid suspicion, the script uses the npm package manager to install the actual, legitimate Gemini CLI in the background. While the developer uses the real tool, the malware quietly compromises the system. A parallel campaign started on 30 March using claudecode.co.com and claude-setup.com to deploy the same setup.
Memory Injection and Data Theft
The payload, a fileless infostealer, runs entirely in memory via PowerShell, which means it doesn’t write files to the local disk and hence doesn’t leave a forensic trail. When active, according to EclecticIQ’s blog post, it starts by shutting down the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). This helps to blind the system’s local endpoint defences before collecting sensitive data from three areas:
- Browsers: It captures login credentials, session cookies, and autofill history from Firefox, Chrome, Edge, Brave, and other browsers.
- Apps: It targets Slack, Microsoft Teams, Zoom, Discord, Mattermost, Notion, Telegram, and Zoho Mail to steal DPAPI-protected keys and session cookies. This data lets cybercriminals infiltrate internal corporate networks without entering passwords.
- Files and Wallets: It collects OpenVPN configuration files, cryptocurrency data from Brave and Spectre wallets, and files from cloud storage paths like Google Drive, OneDrive, iCloud, Proton Drive, and MEGA.
And, there’s also a remote code execution feature, which allows attackers to shift from passive, automated data theft to live, hands-on keyboard invasions inside the compromised network. All stolen data is encrypted and exfiltrated to C2 servers at vents.msft23.com, events.ms709.com, and mo2307.com.
Over 30 other fake domains targeting tools like Node.js, Chocolatey, KeePassXC, WinSCP, Cyberduck, and Putty are also run by hackers, and they even used a stolen Extended Validation (EV) certificate from Shenzhen Xingzhongxing Electronic Technology Co., Ltd. to bypass Windows security warnings. With these fake sites ranking so high on search engines, developers need to double-check their download sources instead of just trusting the top web results.
If you are a developer or downloading an AI tool, download it only from official websites. Do not trust look-alike domain names, and scan any downloaded files with VirusTotal before executing or installing them on your device.
