SECURITY researchers at EclecticIQ have detected a malicious campaign exploiting fake sites mimicking Google's Gemini coding tool and Anthropic's Claude Code to distribute information-stealing malware. This campaign employs SEO poisoning methods to rank these fake domains higher in search results, directing users to malicious pages that lead to the installation of an infostealer targeting Windows systems.
The malware harvests sensitive data from browsers, collaboration tools like Slack and Microsoft Teams, and more, potentially granting attackers access to corporate environments. The analysis indicates that the targeted domains were strategically chosen to focus on users in the US and UK. Furthermore, examination of the attack reveals similarities between the approaches used for both Gemini and Claude, suggesting a single threat actor is behind both impersonation campaigns.