EclecticIQ researchers identified an SEO poisoning campaign in early March 2026 that used typosquatted domains to impersonate Gemini CLI and Claude Code installation pages, per the EclecticIQ report (blog.eclecticiq.com).
Infosecurity Magazine and SOC Prime corroborated the activity in independent reporting, noting the campaign surfaced fake domains above legitimate search results.
Independent researcher @g0njxa first flagged the Gemini CLI impersonation on April 21, 2026, according to Infosecurity Magazine.
Observed attacker-controlled domains include geminicli.co.com, gemini-setup.com, claudecode.co.com, and claude-setup.com, and exfiltration was observed to domains such as events.msft23.com, as documented by GBHackers, EclecticIQ, and SOC Prime.
The malicious landing pages instruct developers to copy a single PowerShell command; executing that command launches a fileless infostealer that runs entirely in memory via PowerShell, according to EclecticIQ and SOC Prime.
EclecticIQ researchers identified an SEO poisoning campaign in early March 2026 that used typosquatted domains to impersonate Gemini CLI and Claude Code installation pages, per the EclecticIQ report (blog.eclecticiq.com). Infosecurity Magazine and SOC Prime corroborated the activity in independent reporting, noting the campaign surfaced fake domains above legitimate search results. Independent researcher @g0njxa first flagged the Gemini CLI impersonation on April 21, 2026, according to Infosecurity Magazine.
Observed attacker-controlled domains include geminicli.co.com, gemini-setup.com, claudecode.co.com, and claude-setup.com, and exfiltration was observed to domains such as events.msft23.com, as documented by GBHackers, EclecticIQ, and SOC Prime. The malicious landing pages instruct developers to copy a single PowerShell command; executing that command launches a fileless infostealer that runs entirely in memory via PowerShell, according to EclecticIQ and SOC Prime.
