MALWAREBYTES reports a campaign built around a trojanised Google Antigravity installer, where users download a file named Antigravity_v1.22.2.0[.]exe from a hyphenated lookalike domain at google-antigravity[.]com after searching for the real tool, which launched in November 2025.
The 138 MB installer appears legitimate, places a desktop shortcut and Start Menu entry, and then quietly runs a PowerShell script to fetch further code from opu s-dsn[.]com, while spoofing a Microsoft referrer header to blend in with corporate proxies. Researchers describe the pattern as a downloader cradle, followed by a second stage that disables Defender’s scripting protections, exfiltrates a machine profile, and deploys a hidden, encrypted payload that loads two .NET assemblies in memory.
The decrypted payload is a stealer that targets browsers, messaging apps, gaming platforms, FTP clients, and crypto wallets to harvest Logins, Cookies, Autofills, and FtpConnections, with the knockout effect of stolen session cookies enabling rapid account takeover in minutes. According to CNET, this evolution mirrors a broader trend of AI-tool lookalikes and trojanised installers designed to monetise victims quickly.