Cybercriminals Abuse SEO Poisoning To Spread Fake Gemini CLI Installers

Researchers observed financially motivated actors using SEO poisoning to push fake installation pages for AI developer tools (e.g., Gemini CLI, Claude Code). Victims paste a PowerShell command that loads a fileless infostealer into memory (irm | iex) while a legitimate package installs, enabling stealthy ETW/AMSI bypass, credential and session-token theft from developer tools and communication apps, and exfiltration to C2 domains mimicking Microsoft services; indicators and mitigations are provided.