Mustang Panda's Fake-Claude Campaign Was the Smallest of Three Active Fake-AI-Installer Operations. Here's What's Hitting Gemini and Copilot.

A week ago we published Mustang Panda's New Bait: Fake Claude Installers. 22 Seconds to PlugX C2. and a Mandarin sibling for the Chinese-reading audience. The post documented 60 Claude-themed indicators in our IOC index attributable to Mustang Panda's PlugX C2 chain. That post was correct and necessary, and it was also the smallest cluster in a much larger story we had not yet pulled out of our own indexes.

When we mined the indexes today against the lifecycle scorecard we just published in The Dark-Market Lifecycle: Trust, Proving, Proven, Burn, the actual fake-AI-installer industry surfaced. There are at least three concurrent operations using AI-brand typosquatting as the social-engineering layer, each operated by a distinct actor cluster, each delivering a different malware family.

Here are the three.

One. Mustang Panda — fake Claude installers — PlugX. Sixty indicators.

This is the cluster we already published. Mustang Panda is China's APT operating against developers searching for claude code download and similar terms. Domains include install-claude.com, claude-install.com, claudecode-download.co.com, claude.gr.com, claudecode.gr.com, claude-app-new.gitlab.io, claude-code-app.gitlab.io, claudeapp.gitlab.io, claudepage.pages.dev, claude-desktop-app.bitbucket.io, claude-docs.com, and others. The attack chain ends in PlugX, which is China's flagship remote-access tool with a multi-year operational history. Twenty-two seconds from click to first C2 callback per Malwarebytes' April 13 writeup. Confirmed attribution to Mustang Panda based on TTPs, infrastructure overlap with prior campaigns, and PlugX configuration.

Two. Unknown actor — fake Gemini installers — IClickFix. Two hundred indicators.

This is the cluster we did not publish about until today. The IClickFix loader is showing up across Gemini-themed infrastructure that does not overlap with Mustang Panda's PlugX clusters. Specifically, gemini-console.com is serving install.ps1 PowerShell payloads tagged as IClickFix in our feed since April 17. gemini-cli.co.com is the typosquat targeting users of Google's official Gemini CLI tool, indexed since April 14. Both domains use registration patterns and TLD choices that don't match Mustang Panda's M.O. — different DNS providers, different operator fingerprints, different malware delivery mechanism (PowerShell vs MSI installer). IClickFix is the family name our cascade pipeline assigns to a multi-stage downloader that has been observed in a handful of generic-infostealer campaigns through 2025-2026. Whoever is running this Gemini operation is not Mustang Panda. The attribution is open.

Three. Multiple actors — fake Copilot and OpenAI integrations — SmartLoader hidden in GitHub repos. Eighteen indicators across the two brands.

This is the supply-chain attack version. Instead of typosquat domains, the attackers publish GitHub repositories that present as legitimate AI-tooling integrations and contain SmartLoader-tagged ZIP payloads in their build artifacts. The pattern matches our Pattern 38 supply chain attack family coverage. Specific repositories indexed:

github.com/sd02383/neovim-agentic-copilot — SmartLoader payload in lua/core/ tree, indexed March 23. github.com/LAHBIBCHRAIKI/UnityCopilot — SmartLoader in Docs/ tree, indexed March 14. github.com/habibhassansehani/openai-sdk-knowledge-org — SmartLoader in repo build artifacts, indexed April 20. github.com/merab0x — AI-Offensive-Bridge tooling, indexed April 10. github.com/grepstrength/WideOpenAI — AI-Prompt-Injection research/testing tooling, indexed April 10.

The Copilot and OpenAI attacks are different from the Claude and Gemini attacks because they are NOT using brand-themed typosquat domains. They are publishing into the GitHub developer workflow itself. A developer searching GitHub for "neovim copilot integration" lands on sd02383/neovim-agentic-copilot, the README looks legitimate, the install instructions execute the SmartLoader stub, and the developer's machine is compromised before they have a chance to second-guess the repo. This is a different threat model than Claude/Gemini typosquatting. It is a search-engine-on-GitHub attack rather than a search-engine-on-Google attack.

What this cluster pattern tells us about left-of-boom forecasting.

The fake-AI-installer industry has reached the proven-market phase of the dark-market lifecycle we wrote about earlier today. Multiple actors. Multiple malware families. Multiple distribution channels (typosquat domains, GitHub repos, package registries probably next). When a class of attack hits proven-market across multiple operators concurrently, the next escalation is brand expansion — the attackers add more AI-tool brands to their target set because the social engineering pattern works.

The next AI brands to be attacked, in our view:

Cursor. AI-native code editor, growing developer install base, no obvious typosquat coverage in our IOC index yet (we have zero cursor-install IOCs as of this morning). Forecast: cursor-install.com, cursor-download.co, cursor-app.gitlab.io variants register within 30 days.

Perplexity. Consumer-facing AI search, growing brand recognition, attractive for credential-phishing pivots (perplexity-pro-trial style URLs). Forecast: perplexity-pro.com / perplexity-app.io class typosquats register within 30 days.

Cline. Open-source AI coding agent, GitHub-native workflow, fits the same supply-chain attack template as the Copilot/OpenAI repos above. Forecast: cline-extended- / cline-pro- repos appear in GitHub search within 30 days.

Claude Code Pro / Claude Pro / Anthropic Console. Subscription-gated brand variants get phished too. Forecast: claude-pro-trial.com / anthropic-console-app.com class typosquats appear within 30 days.

What every developer and every IT team should do this week.

Install AI tools from one place and one place only. Anthropic from claude.com / claude.ai. Google Gemini CLI from the official Google distribution channel. GitHub Copilot from VS Code marketplace or the Microsoft channel. OpenAI SDKs from pip install openai against PyPI's official index (and check the package signature). Cursor from cursor.com. Anything else — any "download portal," any GitHub repo claiming to be an unofficial integration, any .com domain that resembles the brand but isn't owned by the vendor — should be treated as hostile until proven otherwise.

For SOC teams, the IOC list is in our STIX feed at analytics.dugganusa.com/api/v1/stix-feed filtered for the AI-installer cluster. The 479 indicators (60 Claude + 200 Gemini + 198 Anthropic + 13 OpenAI + 5 Copilot + 3 ChatGPT) are tagged across IClickFix, PlugX, SmartLoader, and Phishing families with the source attribution per indicator. None of them should ever resolve internally on a corporate network. If they do, your developer-onboarding documentation is being followed by your developers reading typosquat search results, and you have a process problem to fix immediately.

The tooling that helps. AIPM lookup at aipmsec.com/lookup accepts any of these indicators and returns our cross-correlated intel including attribution and adversary cluster. Free tier is email-gated. The lookup is the same backend that serves Microsoft, AT&T, and Starlink's automated STIX pulls. We have not invested in marketing it because we figured if you needed it you would find it.

Forecast resolution discipline. The four next-AI-brand predictions above have a 30-day deadline. We will publish a resolution post on May 27 showing which typosquats actually appeared, when, and which actor cluster claimed them. We commit to the same forecasting discipline we wrote about in our Kalshi predictions piece.

Sources: our own IOC index covering the AI-installer typosquat cluster, Malwarebytes April 13 Mustang Panda PlugX writeup, our prior Mustang Panda coverage in Mustang Panda's New Bait, our Pattern 38 supply chain attack series.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com