SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Pulse ID: 6a1fdb5a86db28bb159b376e
Pulse Link: https://otx.alienvault.com/pulse/6a1fdb5a86db28bb159b376e
Pulse Author: Tr1sa111
Created: 2026-06-03 07:44:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #SEOPoisoning #bot #Tr1sa111

Fake Anthropic websites are being used to target #ClaudeCode users with a fileless infostealer campaign that steals browser credentials and evades detection.

Read: https://hackread.com/fake-anthropic-sites-fileless-infostealer-claude-code-users/

#CyberSecurity #Anthropic #Claude #AI #Infostealer #SEOPoisoning

GPU mining malware spreads via SEO poisoning and AI chatbot manipulation

Beware of a sneaky malware that's spreading through manipulated AI chatbot responses and search engine poisoning, tricking users into downloading GPU mining malware. Victims unknowingly stumble upon malicious links while searching for popular software or getting recommendations from AI assistants.

https://osintsights.com/gpu-mining-malware-spreads-via-seo-poisoning-and-ai-chatbot-manipulation?utm_source=mastodon&utm_medium=social

#SeoPoisoning #GpuMiningMalware #AiChatbotManipulation #MalwareOperations #EmergingThreats

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

📣🚨 Cybercriminals are using SEO poisoning and fake Gemini and Claude installer sites to infect developers with fileless malware, steal credentials, hijack sessions, and infiltrate corporate networks.

Read more: https://hackread.com/trojan-gemini-claude-installers-developers-seo-poisoning/

#CyberSecurity #Malware #SEOpoisoning #AI #Gemini #Claude

Iranian Hackers Deploy AI-Backed MiniFast Backdoor via Phishing and SEO Poisoning

Iranian hackers have escalated their cyber attacks, leveraging AI-powered tools to craft malware and targeting key sectors like aviation, defense, and telecommunications across the US, Europe, and the Middle East. Their sophisticated tactics, including phishing and SEO poisoning, have allowed them to spy on…

https://osintsights.com/iranian-hackers-deploy-ai-backed-minifast-backdoor-via-phishing-and-seo-poisonin?utm_source=mastodon&utm_medium=social

#IranianHackers #AibackedMalware #MinifastBackdoor #SeoPoisoning #Phishing

Iran-Linked Hackers Target US Aviation with Sophisticated Phishing and SEO Poisoning

Meet Nimbus Manticore, an Iran-linked hacking group that's back with a vengeance, using clever phishing and SEO poisoning tactics to target the US aviation industry in a series of sophisticated attacks. Their latest campaign, which ran from February to April 2026, marked a significant expansion into aviation,…

https://osintsights.com/iran-linked-hackers-target-us-aviation-with-sophisticated-phishing-and-seo-poiso?utm_source=mastodon&utm_medium=social

#IranlinkedHackers #UsAviation #Phishing #SeoPoisoning #OperationEpicFury

Kong RAT: la nuova campagna di SEO poisoning con dropper NativeAOT .NET 10 che prende di mira gli sviluppatori cinesi

https://insicurezzadigitale.com/kong-rat-la-nuova-campagna-di-seo-poisoning-con-dropper-nativeaot-net-10-che-prende-di-mira-gli-sviluppatori-cinesi/

Dios mio! While researching a particular type of Colombian folk music, we stumbled across a .edu domain selling... accordions? Our first thought was potentially domain hijacking, but it appears to be more likely an exploitation of CVE-2026-27210 (TLDR; cross-site scripting). While the vulnerability has been patched in the plugin itself, not all pages have updated their plugins, and search engines have already indexed the poisoned pages! Pivoting led to 50+ additional domains found spread across three risky TLDs: .sbs, .pics, and .shop. The domains on .sbs and .pics appear to be config servers to exploit the vulnerability; the domains on .shop are the landing pages where victims can be scammed.

IOCs:
000o[.]sbs,0pen[.]sbs,123buys[.]shop,123me[.]shop,1bg[.]pics,1ki[.]pics,1mage[.]sbs,1ql[.]pics,1ty[.]pics,1vi[.]pics,1wr[.]pics,2ty[.]pics,569oagri[.]shop,66buys[.]shop,6ip[.]pics,6ym[.]pics,7rt[.]pics,8pi[.]pics,99buys[.]shop,99i[.]pics,9gwe[.]shop,a25n[.]shop,bk2[.]pics,bk59t[.]shop,buysok[.]shop,c68k[.]shop,cc1[.]pics,doo[.]pics,ep7[.]pics,estore-1[.]com,g9gvv[.]sbs,gaer896[.]shop,gm5[.]pics,gosok[.]shop,gt3[.]pics,h66p[.]shop,hh6[.]pics,iilvw[.]sbs,im9[.]pics,img1[.]sbs,in6[.]pics,jj3[.]pics,kk9[.]pics,lilil[.]sbs,llvvw[.]sbs,m66p6[.]shop,mebuys[.]shop,mg6[.]pics,mh8f6k[.]shop,mkk[.]pics,ms1[.]pics,nn6[.]pics,onsgs[.]com,p6[.]pics,p888p[.]shop,pan1[.]top,pic1[.]sbs,pic2[.]sbs,pt11[.]sbs,py3y[.]com,qq1[.]pics,rey89p[.]shop,shop56[.]shop,t88t8[.]shop,tp1[.]pics,tp9[.]pics,trues[.]sbs,up9[.]pics,upimg[.]sbs,uu2[.]pics,vt5[.]pics,vteyu[.]shop,vvf1[.]sbs,vvp1[.]sbs,w2w[.]pics,w88p[.]shop,wp59q[.]shop,wvlll[.]sbs,wvv1[.]sbs,wvvvv[.]sbs,x2p[.]pics,xyaer548[.]shop,yi1[.]pics

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #seo_poisoning #seopoisoning

"SEO Poisoning - Mon site se fait attaquer depuis un an"

#Référencement #SEO #Korben #Blog #SEOpoisoning ...

https://korben.info/seo-poisoning-temoignage.html