Fake Anthropic websites are being used to target #ClaudeCode users with a fileless infostealer campaign that steals browser credentials and evades detection.

Read: https://hackread.com/fake-anthropic-sites-fileless-infostealer-claude-code-users/

#CyberSecurity #Anthropic #Claude #AI #Infostealer #SEOPoisoning

GPU mining malware spreads via SEO poisoning and AI chatbot manipulation

Beware of a sneaky malware that's spreading through manipulated AI chatbot responses and search engine poisoning, tricking users into downloading GPU mining malware. Victims unknowingly stumble upon malicious links while searching for popular software or getting recommendations from AI assistants.

https://osintsights.com/gpu-mining-malware-spreads-via-seo-poisoning-and-ai-chatbot-manipulation?utm_source=mastodon&utm_medium=social

#SeoPoisoning #GpuMiningMalware #AiChatbotManipulation #MalwareOperations #EmergingThreats

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

📣🚨 Cybercriminals are using SEO poisoning and fake Gemini and Claude installer sites to infect developers with fileless malware, steal credentials, hijack sessions, and infiltrate corporate networks.

Read more: https://hackread.com/trojan-gemini-claude-installers-developers-seo-poisoning/

#CyberSecurity #Malware #SEOpoisoning #AI #Gemini #Claude

Iranian Hackers Deploy AI-Backed MiniFast Backdoor via Phishing and SEO Poisoning

Iranian hackers have escalated their cyber attacks, leveraging AI-powered tools to craft malware and targeting key sectors like aviation, defense, and telecommunications across the US, Europe, and the Middle East. Their sophisticated tactics, including phishing and SEO poisoning, have allowed them to spy on…

https://osintsights.com/iranian-hackers-deploy-ai-backed-minifast-backdoor-via-phishing-and-seo-poisonin?utm_source=mastodon&utm_medium=social

#IranianHackers #AibackedMalware #MinifastBackdoor #SeoPoisoning #Phishing

Iran-Linked Hackers Target US Aviation with Sophisticated Phishing and SEO Poisoning

Meet Nimbus Manticore, an Iran-linked hacking group that's back with a vengeance, using clever phishing and SEO poisoning tactics to target the US aviation industry in a series of sophisticated attacks. Their latest campaign, which ran from February to April 2026, marked a significant expansion into aviation,…

https://osintsights.com/iran-linked-hackers-target-us-aviation-with-sophisticated-phishing-and-seo-poiso?utm_source=mastodon&utm_medium=social

#IranlinkedHackers #UsAviation #Phishing #SeoPoisoning #OperationEpicFury

Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict

The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.

Pulse ID: 6a141fcbde28865faa897cb4
Pulse Link: https://otx.alienvault.com/pulse/6a141fcbde28865faa897cb4
Pulse Author: AlienVault
Created: 2026-05-25 10:09:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Europe #IRGC #InfoSec #Iran #Malware #MiddleEast #Military #Nim #OTX #OpenThreatExchange #Phishing #RAT #SEOPoisoning #UnitedStates #Zoom #bot #AlienVault

SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Pulse ID: 6a1284484825661a86bd817e
Pulse Link: https://otx.alienvault.com/pulse/6a1284484825661a86bd817e
Pulse Author: Tr1sa111
Created: 2026-05-24 04:53:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #SEOPoisoning #bot #Tr1sa111

SEO Poisoning Infostealer Campaign via Gemini CLI and Claude Code

Pulse ID: 6a123407891a0247298ffc64
Pulse Link: https://otx.alienvault.com/pulse/6a123407891a0247298ffc64
Pulse Author: cryptocti
Created: 2026-05-23 23:11:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #SEOPoisoning #bot #cryptocti

SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver fileless PowerShell-based infostealer malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.

Pulse ID: 6a0f06681c6ea37a99ec7d21
Pulse Link: https://otx.alienvault.com/pulse/6a0f06681c6ea37a99ec7d21
Pulse Author: AlienVault
Created: 2026-05-21 13:19:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #InfoSec #InfoStealer #Malware #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SEOPoisoning #UnitedKingdom #UnitedStates #VPN #Windows #bot #developers #AlienVault