Security researchers at EclecticIQ have uncovered a new malicious campaign in which cyber threat actors created fake sites posing as Google Gemini’s coding tool and Anthropic’s Claude Code to deliver information stealing malware.
The initial warning came from an independent security research, known as @g0njxa on social media. On April 21, they flagged on X an impersonation campaign exploiting Gemini command line interface (CLI), a feature that lets developers interact with Gemini AI models directly from their terminal.
EclecticIQ researchers investigated the campaign based on these findings. They found that the threat actor started deploying malicious domains in early March 2026.
They also assessed that the campaign is likely geographically tailored to target users in the US and the UK, as evidenced by the selection of .co.uk, .us.com and .us.org top-level domains in some of the attacker-controlled domains.
Infostealer Capabilities
To ensure these domains would be attractive to their targets, SEO poisoning methods were used to surface fake domains above legitimate results, directing victims to attacker-controlled infrastructure that mimics genuine AI agent installation pages.
The domains lead to an infostealer that targets Windows endpoints and executes entirely in memory through PowerShell, harvesting credentials and sensitive data from a wide range of applications before exfiltrating the results in encrypted form to a command-and-control (C2) server.
“The stealer's collection scope reveals a deliberate focus on enterprise users and developer workstations,” the EclecticIQ researchers noted in a May 21 report.
It targets both Chromium-family browsers, like Chrome, Edge and Brave, as well as Firefox, to extract login credentials, session cookies, autofill data and form history.
Beyond browsers, the script directly targets collaboration and communication platforms that are standard in corporate environments. These include:
- Slack: local state key extraction and network cookies
- Microsoft Teams: EBWebView cache cookies under LocalAppData, with DPAPI-protected local state decryption
- Discord: local storage LevelDB files and local state
- Mattermost: session cookies and local state
- Zoom: DPAPI-protected win_osencrypt_key extracted from Zoom.us.ini
- Telegram Desktop: tdata session directory
- LiveChat, Notion, Zoho Mail Desktop: session cookies and partitioned storage data
EclicticIQ noted that a session cookie or a local state key from any of these platforms grants authenticated access to the victim's workspace, including internal channels, shared files, client communications and connected integrations.
The infostealers also collects data from remote access tools, OpenVPN configuration files, cryptocurrency wallets (e.g. Brave Wallet preferences and Spectre wallet data), cloud storage (e.g. Proton Drive, iCloud Drive, Google Drive, MEGA, OneDrive) and user files and system metadata.
Finally, it allows the attacker to perform arbitrary remote code execution tasks on the victim’s device. Financially motivated cybercriminals typically leverage such capabilities to transition into hands-on-keyboard intrusions against selected victims and execute interactive code within the compromised environment.
Gemini CLI Attack Chain
Targeted victims who think they are visiting Gemini CLI are instead directed to fake installation page geminicli[.]co[.]com, which displays what appears to be a legitimate installation instruction.
The page prompts the user to copy and paste a PowerShell command into their terminal. When executed, the command reaches out to gemini-setup[.]com to download the infostealer downloader payload.
Once downloading is finished, the infostealer establishes a connection to C2 server hosted at events[.]msft23[.]com, an infrastructure used to receive exfiltrated data from compromised hosts.
Claude Code Attack Chain
On March 30, EclicticIQ observed that someone registered two additional domains impersonating Claude Code, claudecode[.]co[.]com and claude-setup[.]com.
In a similar pattern as with the Gemini CLI impersonation, the malicious domain claudecode[.]co[.]com hosts a cloned installation page visually consistent with Anthropic's official documentation and presents the user with a PowerShell command to ‘install’ the tool, while claude-setup[.]com hosts the final payload that was downloaded.
After the execution, the infostealer malware sends exfiltrated data to events[.]ms709[.]com, which serves as the C2 server for the Claude Code impersonation campaign.
The similarities between both attack chains strongly suggest a single threat actor is behind both campaigns.
Image credits: Stock all / aileenchik / Shutterstock.com