A fake Google Antigravity download is exposing user accounts to compromise within minutes. What looks like a normal install actually delivers the real app along with hidden malware, giving attackers a quiet way in.
The campaign centers on a trojanized installer distributed through a lookalike domain that closely mimics the real Antigravity download site. Victims receive the full working application, but a hidden script connects to attacker-controlled servers and can later deploy data-stealing malware.
Once activated, it can extract browser sessions, saved credentials, and other sensitive data, allowing attackers to access accounts almost immediately without needing passwords.
Trojanized installer hides in plain sight
Malwarebytes reported that the attackers used a typosquatted domain, google-antigravity[.]com, to distribute a modified version of the Antigravity installer. The file included the full legitimate application but added a hidden PowerShell step during installation.
“The attacker didn’t build a convincing fake; they took the genuine Antigravity installer, added one additional step to run their PowerShell script during setup, and repackaged the result,” Malwarebytes stated.
IBM X-Force Intelligence also described the campaign as a trojanized installer that connects to a remote server to retrieve additional malicious code.
The app installs and functions normally, so users have little reason to suspect compromise. Meanwhile, the embedded script connects to the attacker’s infrastructure and waits for further instructions.
Rapid account takeover through stolen sessions
If the attacker activates the second stage, the malware disables key Windows protections and deploys encrypted payloads that persist on the system.
The malware is designed to harvest sensitive data across multiple sources, including:
- Browser cookies and saved credentials
- Messaging and gaming platform logins
- Cryptocurrency wallet data and FTP credentials
Malwarebytes said session cookies pose the most immediate risk. They allow attackers to bypass passwords and multi-factor authentication by reusing active sessions.
“As far as the website is concerned, the user is already signed in. The gap between infection and account takeover can be minutes,” Malwarebytes emphasized.
The malware also supports clipboard hijacking, keystroke logging, and hidden desktop environments that allow attackers to operate without being visible on the user’s screen, according to IBM X-Force.
Popular developer tools draw attacker interest
The campaign reflects a familiar pattern. New software launches often attract lookalike domains and trojanized downloads shortly after release.
Google Antigravity, introduced in November 2025, quickly gained traction, making it an easy target for attackers. Many users rely on search results instead of verified URLs, increasing the risk of landing on malicious sites.
Security teams advise verifying download sources and checking for unusual activity after installing new tools. IBM X-Force recommends that users sign out of active sessions, change passwords, rotate API keys, and reinstall systems if they suspect compromise.
Catch up on the biggest cyber attacks and security failures shaping 2026 so far, from the FBI breach to the DarkSword iPhone exploit.
Read the full article here
