Cisco Talos uncovers CyberLock ransomware, Lucky_Gh0$t, and Numero malware masquerading as reliable software program and AI device installers. Find out how these faux installers exploit companies in gross sales, tech, and advertising and marketing.
Cybersecurity researchers at Cisco Talos have revealed that the rising presence of Synthetic Intelligence (AI) within the enterprise world has opened new alternatives for cybercriminals. Menace actors are hiding malicious software program inside faux installers for AI instruments, tricking companies into downloading malware. This new wave consists of ransomware like CyberLock and Lucky_Gh0$t, and harmful malware referred to as Numero.
In keeping with researchers, these faux AI device installers are distributed by way of varied on-line channels, by means of search engine optimization poisoning (manipulating search engine rankings) in order that the faux web sites seem on the prime of search outcomes. Moreover, social media and messaging platforms like Telegram are used to unfold their malicious hyperlinks.
Companies, particularly these in gross sales, expertise, and advertising and marketing, are prime targets as a result of they steadily use reliable AI instruments for automation, knowledge evaluation, and buyer engagement.
As detailed by Cisco Talos’ report shared with Hackread.com forward of its publishing on Thursday, Could 29, when unsuspecting customers obtain seemingly innocent installers, they unknowingly invite malware onto their methods, placing delicate enterprise knowledge and monetary belongings in danger, and eroding belief in real AI options.
Cisco Talos Exposes A number of Threats
CyberLock Ransomware
This ransomware, noticed as early as February 2025, poses as a lead monetization AI platform referred to as NovaLeadsAI. Its operators have created a faux web site, ‘novaleadsaicom,’ to imitate the actual ‘novaleads.app.’ They even provided misleading “free entry” for the primary yr to lure victims.
As soon as downloaded, a file named ‘NovaLeadsAI.exe’ deploys the CyberLock ransomware. This ransomware, written in PowerShell and embedded with CSharp code, encrypts varied file varieties, together with paperwork, spreadsheets, pictures, and movies, and calls for a $50,000 ransom in Monero (XMR) cryptocurrency.
As a manipulative tactic, cybercriminals falsely declare the ransom will help humanitarian help in areas like Palestine, Ukraine, Africa, and Asia. CyberLock additionally makes an attempt to wipe free area on the arduous drive by way of a built-in Home windows device ‘cipher.exe’., making it more durable to recuperate deleted recordsdata.
Lucky_Gh0$t Ransomware
This Yashma ransomware variant (a part of the Chaos ransomware collection) is distributed by means of faux ChatGPT installers, normally as ‘ChatGPT 4.0 full model – Premium.exe’. This malicious installer features a file referred to as ‘dwn.exe’ which is the ransomware, together with reliable Microsoft AI instruments, prone to keep away from detection.
Lucky_Gh0$t encrypts recordsdata smaller than 1.2GB and likewise has harmful behaviour for bigger recordsdata, overwriting them with a single character. Victims are given a private ID and instructed to make use of a safe messenger platform for communication.
Numero Malware
This newly found harmful malware imitates the installer for InVideo AI, a preferred on-line video creation device. Compiled in January 2025, it’s a window manipulator malware that constantly runs on a sufferer’s machine, making Home windows methods unusable by interfering with their graphical interface. It avoids being detected by checking for widespread malware evaluation instruments like IDA, x64 debugger, and OllyDbg.
Given these evolving threats, organizations and people should be extraordinarily cautious. At all times confirm the supply of AI instruments and solely obtain software program from trusted distributors.
