SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Financially motivated eCrime actors are running an active SEO-poisoning campaign that impersonates AI coding platforms and developer tooling (Gemini CLI, Claude Code, Node.js, Chocolatey) to trick developers into pasting one-line PowerShell installers; those installers spawn a hidden, fileless PowerShell infostealer that bypasses AMSI/ETW, harvests browser cookies, OAuth tokens, SSH/VPN keys, cloud-synced files and other sensitive artifacts, and exfiltrates encrypted data to events.msft23.com/events.ms709.com-style C2 infrastructure, enabling follow-on hands-on-keyboard access and enterprise compromise. The report provides analysis, MITRE ATT&CK mapping, detection and mitigation recommendations, and numerous domains and file hashes as IOCs.