Global Malicious AI Installer Campaign Targets Developer Workstations

Cybercriminals are currently targeting software engineers with advanced social engineering tactics. Specifically, threat actors launched a highly deceptive malicious AI installer campaign in early March 2026. Analysts from EclecticIQ identified this active operation tracking developer workflows. The campaign specifically compromises environments running popular new command-line interfaces. For example, the hackers mimic official setup portals for Google’s Gemini CLI and Anthropic’s Claude Code. Consequently, companies face severe supply chain risks as development systems suffer immediate compromise.

Exploiting Search Engine Trust via SEO Poisoning

To begin with, the infection chain exploits standard software acquisition habits. Developers looking for installation files often trust top search results blindly. Therefore, the adversaries use aggressive search engine optimization (SEO) poisoning techniques. This typosquatted infrastructure surfaces malicious links above legitimate open-source code repositories. When a user clicks the fake result, they encounter a cloned installation guide. The site visually replicates authentic vendor documentation completely. Furthermore, it instructs the visitor to execute a single PowerShell line inside their terminal to install the tool.

The Dual-Pronged Execution Strategy

Once the developer runs the copied command, a hidden script orchestrates a double-pronged attack. In the background, the script instantiates a hidden application shell object. This concealed process downloads a fileless infostealer downloader payload directly into active system memory. Meanwhile, the script runs legitimate installation commands in the foreground. For instance, it executes standard global package steps like npm install -g @google/gemini-cli. Thus, the real application completes its setup smoothly while the spyware executes silently alongside it.

Analyzing the Successful Installation Lure

As a result, the victim notices zero immediate red flags during the compromise. The terminal displays standard progress bars, dependency trees, and successful output messages. The official threat report documents this clever visual deception clearly. The report states: “The victim sees a real installation complete successfully in their terminal, dependency resolution, progress bars, and a working CLI binary at the end.” Consequently, the engineer begins using the utility normally. However, the infostealer has already finalized its data collection routine in the background.

Advanced Anti-Analysis and Defensive Evasion

Next, the threat actor neutralizes core Windows defense mechanisms to operate freely. The malicious code modifies the PSEtwLogProvider.m_enabled flag to suppress local event tracing. In addition, it patches the Antimalware Scan Interface (AMSI) to disable script scanning completely. To avoid automated detection inside virtual environments, it executes an anti-sandbox validation gate. The script checks for the presence of specific virtualized device strings like qemu-ga. Ultimately, these bypasses render modern detection tools inoperative throughout the execution cycle.

Deep Host Interrogation and Data Staging

Furthermore, the malware utilizes runtime C# code injection to interrogate the system. It invokes native APIs to extract passwords directly from Windows Credential Manager. The script also targets corporate communication applications to gather corporate intelligence. For instance, it scrapes browser profiles, session cookies, and login keys across Chrome, Edge, and Brave. Specifically, it extracts session cookies and decryption keys from Slack, Microsoft Teams, and Discord. This comprehensive scope ensures the actor harvests tokens spanning both personal and corporate context accounts.

Remote Code Execution and Staging Endpoints

After completing data staging, the implant transmits encrypted outputs to its control infrastructure. The malware utilizes specific endpoints like /take, /process, and /validate to communicate with the host events.msft23.com. Beyond credential harvesting, the response payload delivers an RSA-encrypted task list back to the machine. The implant decrypts this list to run arbitrary follow-on commands. Consequently, operators can transition into active hands-on-keyboard intrusions to execute interactive code inside the network.

Broad Campaign Infrastructure and Pivots

Ultimately, the threat actors manage an extensive network of malicious staging domains. This widespread malicious AI installer campaign reaches far beyond terminal assistant software. By evaluating DNS passive records, analysts uncovered over 30 related registration items. These setups impersonate other developer services like Node.js, Chocolatey, and KeePassXC. They even incorporate cryptocurrency lures to extract Monero assets from active programming targets. Therefore, software development companies must enforce strict script execution policies to prevent catastrophic enterprise access losses.