Artificial Intelligence Exposes the Homoglyph Hustle
Essential information
- Published
- 23/09/2025 21:47
- Modified
- 23/09/2025 22:21
- Tags
- 2025-09-23 ai-assisted investigation calendaromatic.exe covert channel desktop application homoglyphs javascript neutralinojs unicode
- Related entities
- 4 observables, 10 techniques (mitre), 7 others
Description
A seemingly harmless desktop application named calendaromatic.exe was discovered to be a sophisticated malware utilizing NeutralinoJS, Unicode homoglyphs, and hidden payloads. The malware, distributed through an aggressive ad campaign, exploited NeutralinoJS's native APIs to interact directly with the host operating system. The key to its operation was a function named clean() that scanned for Unicode homoglyphs in holiday JSON data, using them to encode hidden instructions. This technique allowed the malware to receive and execute arbitrary code smuggled into holiday names using lookalike characters. The investigation was accelerated by AI, which helped parse and annotate the minified JavaScript code.