Cybercriminals Exploit AI Hype To Spread Malware

Threat actors are capitalizing on the immense popularity of AI tools such as ChatGPT and Luma AI, using them as bait to distribute malware through cleverly disguised deceptive websites.

The Lure of AI Deceptive Websites and SEO Poisoning

Researchers at Zscaler ThreatLabz have identified a network of malicious websites themed around artificial intelligence. These sites, often built on platforms like WordPress, employ Black Hat SEO (Search Engine Optimization) tactics to manipulate and poison search engine rankings. Consequently, they appear prominently in search results for trending AI-related queries, for example, “Luma AI blog.” Unsuspecting users searching for these popular AI tools are then tricked into visiting these harmful sites.

Unpacking the Attack How Cybercriminals Deliver Malware

When a user clicks on what seems to be a legitimate search result and lands on one of these AI-themed pages, a complex sequence of malicious activities is set in motion. This chain reaction ultimately leads to the delivery of dangerous malware payloads, including info-stealers like Vidar Stealer, Lumma Stealer, and the Legion Loader.

The attack typically starts when a user clicks a compromised search link, which directs them to an AI-themed webpage. This page contains embedded malicious JavaScript, often hosted on trusted services like AWS CloudFront to appear legitimate. This script then performs browser fingerprinting, collecting data such as the browser version, window resolution, and user agent. This information is encrypted (commonly using an XOR cipher) and sent to an attacker-controlled domain, for instance, gettrunkhomuto[.]info.

Once the server validates the collected data, it initiates a multi-layered redirection process. This often involves routing the user through intermediate websites that may check the victim’s public IP address before finally directing them to the page where the malware is downloaded.

Sophisticated Evasion Techniques Employed by Attackers

Notably, the malicious JavaScript is also designed to detect ad blockers and DNS guards. If such protective measures are present, the redirection is halted to prevent the attack from being detected and to ensure its stealth.

The malware payloads are frequently packaged in very large installer files. For example, Vidar and Lumma Stealer have been distributed as 800MB NSIS installers. This large size is a deliberate tactic to bypass sandbox detection mechanisms, which often have limitations on file sizes they can analyze.

Legion Loader is delivered through password-protected ZIP archives. These archives contain MSI files that deploy decoy software to mask their malicious activity while simultaneously executing harmful DLLs using techniques such as process hollowing and DLL sideloading. These payloads are capable of stealing sensitive data or installing browser extensions designed to steal cryptocurrency, posing significant risks to users.

The campaign's sophistication is further evident in its evasion tactics. These include antivirus checks embedded within NSIS scripts, which use Windows utilities like tasklist and findstr to identify and terminate security processes from vendors such as Quick Heal, Webroot, and Bitdefender. Additionally, Legion Loader enhances its stealth by using dynamic passwords retrieved from command-and-control (C2) servers and executing shellcode within hollowed-out explorer.exe processes.

Protecting Yourself and Understanding the Threat

Zscaler’s multilayered cloud security platform has identified and helped mitigate these threats, detecting indicators for Lumma, Vidar, and Legion Loader under various threat names like Win32.PWS.Lumma and Win32.Dropper.LegionLoader.

Users are strongly urged to exercise caution when searching for AI tools online, as the exploitation of trending topics for malware distribution continues to be a growing problem. Always verify the authenticity of websites and download software only from official, trusted sources.

Key Indicators of Compromise (IOCs)

Below is a table of key Indicators of Compromise (IOCs) associated with this campaign for reference and mitigation purposes.

Indicator	Description
chat-gpt-5[.]ai	Malicious blog site related to AI
luma-ai[.]com	Malicious blog site related to AI
krea-ai[.]com	Malicious blog site related to AI
llama-2[.]com	Malicious blog site related to AI
C957ADB29755E586EE022244369C375D	Legion Loader password-protected ZIP
14642E8FFD81298F649E28DC046D84BB	Legion Loader MSI file
C53eaf734ecc1d81c241ea2ab030a87e	Lumma NSIS Installer file
758625d112c04c094f96afc40eafa894	Vidar NSIS Installer file

If you found this news interesting, stay updated by following reliable cybersecurity news sources. Consider following us for more updates on Cybersecurity News via LinkedIn, Cyber Threat Intel on LinkedIn, and X (formerly Twitter).