Fake fake installers for popular artificial intelligence tools (AI), such as Openai Chatgpt and Invideo AI, are used as bait for distribution of various threats such as Cyberlock and Lucky_GH0 $ T Ransomware, as well as new malicious software called the number.
“Cyberlock Ransomware, developed using PowerShell, first of all focus on encryption of specific files in the victim system”, Cisco Talos Chetan Raghuprasad researcher – Note In a report published today. “Lucky_G0 $ T Ransomware – Another Option Rapid Ransomware, which is the sixth Haos Ransomware series, which presents only minor modifications in Binaryware Ransomware “.
On the other hand, Numero is a devastating malicious software that affects the victims by manipulating the components of the GUI Windows System (GUI), which makes the machines unsuitable.
Cybersecurity campaign has stated that legal versions of AI’s tools are popular in business sales (B2B) and marketing sectors, suggesting that people and organizations in these fields are the focus of the actors of the company’s actors.
One of these fake AI solution sites is “Novaleadsai (.) Com”, which probably stands for a platform of leading monetization called Novaleads. It is suspected that the web -resort is moving through the search engine poisoning methods (SEO) to artificially increase its rating on Internet systems.
The users are then called up for uploading the product, saying it offers free access to the tool during the first year, with a monthly subscription of $ 95 afterwards. The ZIP archive, which contains the .NET (“Novaleadsai.exe”), which was made on February 2, 2025, was actually loaded. Double, on its part, acts as a loader for deployment of PowerShell Cyberlock Ransomware.
The ransom is equipped for the escalation of privileges and re -express itself with administrative permits, if not yet, and encrypts the files posted in the sections “C: \”, “D:” and “E: \”, which correspond to a certain set of extensions.
In an interesting turn, the actor threats continues to claim that payments will be allocated to support women and children in Palestine, Ukraine, Africa, Asia and other regions, where “injustice are daily reality.”
 |
| Expanding files focused on Ransomware Cyberlock Ransomware |
“We ask you to consider that this amount is small compared to the innocent lives, especially children who pay the final price,” the note said. “Unfortunately, we have come to the conclusion that many are not ready to act voluntarily to help, making it the only possible decision.”
The last step involves the actor of the threat that uses binary (LOLBIN) “Binary” (LOLBIN) “Cipher.exe“From Option “/W” To remove the available unused disk space on the whole volume, to interfere with the medical recovery of deleted files.
Talos said he also noticed the actor threatens that spread the ransom lucky_G0 $ t under the guise of a fake installer for the Chatgpt Premium version.
“The malicious SFX installer included a folder containing the Lucky_GH0 $ t program, executed with the” Dwn.exe “file, which imitates the legitimate Microsoft executed” dwm.exe “,” Ragrosad said. “The folder also contained legitimate tools of AI Microsoft with open source that are available in their GitHub repository for developers and data scientists, especially within the Azure ecosystem.”
When the victim is running a malicious SFX installation file, the SFX script performs a useful Ransomware load. The Yashma Ransomware, Lucky_GH0 $ t target files with approximately 1.2GB sizes for encryption, but not before deleting copies and backups.
The ransom note fell at the end of the attack, includes a unique personal transcript identifier and instructs the victims to contact them through the application to the session notice for payment for payment and get deciphering.
Last but not less important, the threatening actors also earn on the growing use of AI tools for the carved online landscape with the fake installer for Invideo AI, the platform for creating a video that works on AI to deploy a destructive malicious software.
The fraudulent installer serves as a dropper containing three components: a Windows package file, a Visual Basic and Mumero script. When launching the installer package, it starts through the Windows shell in an endless cycle, which in turn performs Numero, and then temporarily stops it for 60 seconds, running the VB script via CSCripT.
“After recovery, the batch file stops the process of malicious Numero software and recharges its execution,” the thalas said. “Introducing an endless cycle in a batch file, Mumero Marware is constantly running by the victim’s car.”
The 32-bit made windows written in C ++, the number checks the presence of tools for malicious programs and debugs among the advanced processes, and continues to overwrite the heading, buttons, buttons and contents with the digital line “1234567890.” It was compiled on January 24, 2025.
Disclosure of information when Mandiant owned by Google malicious ads On Facebook and LinkedIn to redirect users to fake web -residues that represent the legal AI video generator tools such as Luma AI, Laba Lab Canva Dream and Kling Ai, among others.
Activity that was also recently exposed Morphise and Check the point Earlier this month, the Tech Giant threat as a UNC6032, which is evaluated as the Vietnamese Nexus, was associated with the Tech Giant cluster. The company has been active with at least mid -2014.
The attack unfolds in this way: not suspended users who land on these sites are entrusted to provide a contributing clue to create video. However, as mentioned earlier, the entry does not matter, since the main responsibility of the site is the initiation of a useful load on rust called Starkveil.
“(Starkveil) provides three different modular families malware, primarily designed for theft of information and capable of downloading plugins to expand their functionality,” Mandiant – Note. “The presence of several, similar useful loads involves the security mechanism that allows the attack to be stored, even if some useful loads are detected or blocked by security.”
Three families of malware below –
- GRIMPULL, BOODER, which uses the Tor tunnel for extra .Net useful loads that are deciphered, decomposed and loaded in memory like .Net build
- Frostift, Backdoor .Net, which collects system information, details about installed applications and scan 48 extensions related to password executives, authenticists and cryptocurrency wallets
- XWOMM, known Trojan Remote Access based on .NET (rat) with such features such as keys, team execution, screen, gathering information and victim notice via Telegram
Starkveil also serves as a pipeline to launch a dropper based on Python Codenape Coilhatch, which is actually instructed to launch the above three useful loads using DLL.
“These AI instruments are no longer guided by the graphic designers; anyone can interfere with seemingly harmless advertising,” the mandant said. “The temptation to try the newest AI tool can cause anyone to be a victim.”
