Fast Facts

• EvilAI campaign uses fake AI and productivity tools to distribute malware worldwide.
• Targets include manufacturing, government, healthcare, tech, and retail sectors across Europe, the Americas, and AMEA.
• Attackers exploit signed certificates and authentic-looking apps to evade detection.
• Malware enables data theft, persistent access, and encrypted communication with command servers.
• Variants leverage code-signing from companies in Panama, Malaysia, Ukraine, and the UK.

The Trojan Horse Gets a Tech Upgrade

Imagine opening what looks like a shiny new AI-powered productivity tool - only to unwittingly let a digital thief into your organization. That’s the chilling reality behind the EvilAI malware campaign, which has quietly swept across continents by hiding in plain sight, dressed as the very tools businesses and users crave most.

According to leading cybersecurity firms like Trend Micro, Expel, and G DATA, EvilAI isn’t just a single piece of software but a sprawling, fast-evolving criminal operation. The attackers have mastered the art of mimicry, turning everyday apps like PDF editors, calendar tools, and recipe finders into vehicles for espionage. By leveraging buzzwords like “AI” and slick, professional interfaces, these trojans blend seamlessly into the digital landscape - making them nearly indistinguishable from the real thing.

Anatomy of a Global Deception

What sets EvilAI apart is its attention to detail. The malware is signed with digital certificates from shell companies in far-flung countries, providing an air of legitimacy. When one certificate is revoked, another pops up, like a cybercriminal game of whack-a-mole. Some variants, such as BaoLoader and TamperedChef, have been tied to dozens of certificates from Panama, Malaysia, Ukraine, and the UK - underscoring the campaign’s global reach and sophistication.

Once installed, EvilAI begins silent reconnaissance, quietly mapping the infected system, stealing sensitive browser data, and maintaining a secret, encrypted line to its command center. The malware uses AES encryption (think of it as an unbreakable digital envelope) to hide its communications, making it difficult for defenders to spot what’s going on in the background. Meanwhile, it can download additional payloads, exfiltrate data, or simply wait for further instructions.

To spread, EvilAI’s operators use every trick in the book: fake vendor websites, malicious ads, SEO manipulation, and even forum and social media links. They also exploit modern frameworks like NeutralinoJS, which lets their malware run JavaScript code natively on a victim’s computer - granting access to files, processes, and network activity, all under the radar. Subtle encoding tricks, like swapping lookalike Unicode characters, help the malware slip past traditional detection tools.

Echoes of Past Schemes and a Warning for the Future

While malware hidden in fake software isn’t new - think of the infamous NotPetya and Emotet campaigns - EvilAI’s embrace of AI branding and advanced code-signing tactics marks an unsettling evolution. The sheer scope, with infections reported in India, the US, France, Brazil, and beyond, signals not just technical prowess but a keen understanding of human trust.

Experts warn that as AI tools become essential to modern business, attackers will only get better at blending malicious code with helpful features. The line between friend and foe grows ever thinner, demanding vigilance, skepticism, and a renewed focus on verifying the authenticity of every download.

WIKICROOK

• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• Code: Code is a set of instructions written for computers. In cybersecurity, analyzing code helps detect unauthorized or suspicious software, including hidden threats.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• AES Encryption: AES Encryption is a powerful method for converting data into a secure format, ensuring only authorized parties can access the original information.
• NeutralinoJS: NeutralinoJS is a framework for building desktop apps with web technologies, granting direct access to system resources beyond regular browsers.