Artificial Intelligence Exposes the Homoglyph Hustle

Sept. 23, 2025, 10:21 p.m.

Description

A seemingly harmless desktop application named calendaromatic.exe was discovered to be a sophisticated malware utilizing NeutralinoJS, Unicode homoglyphs, and hidden payloads. The malware, distributed through an aggressive ad campaign, exploited NeutralinoJS's native APIs to interact directly with the host operating system. The key to its operation was a function named clean() that scanned for Unicode homoglyphs in holiday JSON data, using them to encode hidden instructions. This technique allowed the malware to receive and execute arbitrary code smuggled into holiday names using lookalike characters. The investigation was accelerated by AI, which helped parse and annotate the minified JavaScript code.

External References

https://www.guidepointsecurity.com/blog/ai-exposes-homoglyph-hustle/
https://otx.alienvault.com/pulse/68d3158e26d55b3b453c8602
Tags
javascript
unicode
2025-09-23
calendaromatic.exe
covert channel
desktop application
homoglyphs
ai-assisted investigation
neutralinojs

Date

  • Created: Sept. 23, 2025, 9:47 p.m.
  • Published: Sept. 23, 2025, 9:47 p.m.
  • Modified: Sept. 23, 2025, 10:21 p.m.

Indicators

  • e32d6b2b38b11db56ae5bce0d5e5413578a62960aa3fab48553f048c4d5f91f0
  • c24774d9b3455b47a41c218d404ae6b702da0d2e3e8ad3d2a353ffddd62239c2
  • 69934dc1d4fdb552037774ee7a75c20608c09680128c9840b508551dbcf463ad
  • 497ed5bca59fa6c01f80d55c5f528a40daff4e4afddfbe58dbd452c45d4866a3
Download all indicators here!

Attack Patterns

Additional Informations

  • British Indian Ocean Territory
  • India
  • Australia
  • Canada
  • France
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America