A sophisticated cyber campaign targets software engineers using social engineering tactics, including a deceptive malicious AI installer. Threat actors employ SEO poisoning to ensure fake installation links appear before legitimate ones in search results. Once a developer runs the compromised command, a script executes in the background, downloading an infostealer payload while appearing to install the intended software.
Anti-analysis measures are incorporated to evade detection, while detailed interrogation of the system extracts sensitive data like passwords and session cookies from corporate applications. The malware communicates with its control infrastructure to execute further commands, posing a significant risk to organizations. Over 30 related malicious domains mimic developer tools, necessitating strict security policies in software development environments.