Cisco Talos has uncovered a collection of malicious threats masquerading as reputable AI software installers, concentrating on unsuspecting customers and companies throughout a number of industries.
These threats, together with the CyberLock and Lucky_Gh0$t ransomware households, together with a newly recognized damaging malware dubbed “Numero,” exploit the rising reputation of AI options in sectors like B2B gross sales, expertise, and advertising.
Misleading Malware Disguised as AI Options
Cybercriminals are leveraging refined techniques akin to web optimization poisoning to govern search engine outcomes, guaranteeing their pretend web sites and malicious obtain hyperlinks seem on the high of search outcomes.
Moreover, platforms like Telegram and different social media messengers are getting used to distribute these fraudulent installers, deceiving customers into downloading malware-laden recordsdata that compromise delicate information and undermine belief in real AI instruments.
The CyberLock ransomware, constructed utilizing PowerShell and delivered by way of a .NET loader, is embedded inside a pretend AI lead monetization software mimicking the reputable platform NovaLeads.
Hosted on a misleading area, novaleadsai[.]com, the malware is deployed via a ZIP archive containing a malicious executable, NovaLeadsAI.exe.
Upon execution, CyberLock encrypts recordsdata throughout specified drives utilizing AES encryption, appending the “.cyberlock” extension to affected recordsdata, which span classes like textual content paperwork, media, and databases.
A Trifecta of Threats
Its ransom be aware calls for a staggering $50,000 in Monero cryptocurrency, falsely claiming the funds will assist humanitarian causes in areas like Palestine and Ukraine, whereas using psychological techniques to strain victims with threats of information publicity although no information exfiltration capabilities have been discovered by Talos.
Past encryption, CyberLock makes use of the Home windows built-in software cipher.exe to overwrite free disk area, obstructing forensic restoration efforts.
Equally insidious, Lucky_Gh0$t ransomware, a variant of the Yashma pressure from the Chaos ransomware collection, poses as a ChatGPT installer beneath the guise of “ChatGPT 4.0 full model – Premium.exe.”
Distributed as a self-extracting ZIP archive, it features a malicious executable disguised as a reputable Microsoft file alongside real AI instruments to evade detection.
Lucky_Gh0$t encrypts recordsdata smaller than 1.2GB with RSA-encrypted AES keys, appending random alphanumeric extensions, whereas destructively overwriting bigger recordsdata.
Victims are directed to speak by way of a safe messenger with a novel session ID for ransom negotiations.
In the meantime, the Numero malware, impersonating the AI video creation software InVideo AI, operates as a window manipulator.
In response to the Report, Written in C++ and compiled in January 2025, Numero runs in an infinite loop, corrupting the Home windows GUI by overwriting parts with numeric strings, rendering methods unusable. It additionally evades evaluation by detecting debugging instruments like IDA and Windbg.
Organizations should stay vigilant, as these threats exploit the AI growth to focus on vital enterprise belongings.
Cisco Talos urges customers to confirm the authenticity of AI software sources and rely solely on respected distributors.
The convergence of AI’s transformative potential and cybercriminals’ misleading techniques underscores the pressing want for strong cybersecurity measures to safeguard in opposition to such weaponized installers.
Discover this Information Fascinating! Observe us on Google Information, LinkedIn, & X to Get Prompt Updates!
