Cybercriminals camouflaging threats as AI tool installers

June 5, 2025, 1:23 a.m.

Description

Cybercriminals are exploiting the popularity of AI by distributing malware disguised as AI solution installers. Three threats have been identified: CyberLock ransomware, Lucky_Gh0$t ransomware, and a newly discovered destructive malware called Numero. CyberLock, developed using PowerShell, encrypts specific files and demands a $50,000 ransom in Monero. Lucky_Gh0$t is a variant of Yashma ransomware, masquerading as a ChatGPT installer. Numero, imitating an AI video creation tool, manipulates Windows GUI components, rendering systems unusable. These threats primarily target B2B sales, technology, and marketing sectors. The attackers use SEO manipulation and various distribution channels to deceive victims. Organizations are urged to exercise caution and verify sources when downloading AI tools.

External References

https://github.com/Cisco-Talos/IOCs/blob/main/2025/05/fake-AI-installers.txt
https://otx.alienvault.com/pulse/6840ecf1d62aaa388847dbd7
https://blog.talosintelligence.com/fake-ai-tool-installers/
Tags
ransomware
powershell
seo poisoning
ai
yashma
chaos
seo manipulation
2025-05-29
cyberlock
technology sector
b2b sales
ai tools
lucky_gh0$t
marketing sector
fake installers
numero
2025-06-05

Date

  • Created: June 5, 2025, 1:03 a.m.
  • Published: June 5, 2025, 1:03 a.m.
  • Modified: June 5, 2025, 1:23 a.m.

Indicators

  • f1e3aefa9b6564753a12ef53f9186efd000dfeca2ab6c24d764b65e43070dec0
  • e1c4603d8354bb53e9ba93b860db6ae853d64bce0fe25a37033bfe260ea63f23
  • e019c6f094965c3bccc0a7ba09bfb09c4ff7059795da5b66b6e7a7c0ac8ef7ef
  • cdcd516f7cea4504448bd95a321b48d1ee4379c6c584e821bc8f109c69897821
  • b46e342e3842935ce8602003bbca479cfe843bc6790c3724fd85c1d44c8d1fc0
  • 7e8f07945f3b92d5a5ab08a8eb74d6e6fe0462485e76d4ba3ad545be08be5684
  • 911ad4455b4bf703dc63817b4b4aa9c2f4ed87e965c313bc68e817a5e012bc1c
  • 7de095a011a3dcd48f806dcb6a48d5262e06bec2d63d828b85436f79c83bcd70
  • 6fe71ef1f1ef533f93149eb8491687d31c2e2d41490d06de58720f682132c94e
  • 6ccaef03dcab293d23494070aacfd4b94d7defd14af39dc543f2f551846e9d50
  • 5599396d79b511fa6b86bf4222550c9b3c09f988cce8c080ae520ae9bfc4f7d0
  • 507103bf93e50a8b7b2944c402f1403402e2f607930fa7822bb64236c1fba23a
  • 4800a4e6eddef216e4eedee5f4038deef07193f4051c345d32c113ce47c81db0
  • 25f863c6190b727c45b762b70091a8d8f6cb98ff44db05044ba76a46d3c17a3d
  • 2381929126d3eb17402d77103f6e07a272a6fad54ec64225a6d5e1f31ff057ac
  • 229b6248baf0d6320e3a44fabf2874ade14e44e694d40a4b1844266bd36ca8e9
  • 07d73f4822549af4ec61d16ed366133dae1733ce1d6ad0a27fc80c94956abc51
  • 001165c9a51477b3972468b7e17fd02bd513a614ca6227acd9b21a58dabab442
  • 352e51c42d5f5727a7c545752bf34d1f83f40219e7036c6959817149a51651bc
  • f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
Download all indicators here!

Attack Patterns

  • Numero
  • Lucky_Gh0$t
  • CyberLock

Additional Informations

  • Technology
  • Media