Threat actors are increasingly leveraging seemingly legitimate artificial intelligence (AI) tools and software to stealthily distribute malware, posing a significant risk to organizations globally. This sophisticated technique, identified by cybersecurity researchers, involves embedding malicious code within productivity or AI-enhanced applications that users willingly download and install, blurring the lines between trusted software and dangerous threats.
EvilAI Campaign Exploits AI Tools for Malware Distribution
A widespread campaign, codenamed EvilAI by cybersecurity firm Trend Micro, has been observed deploying malware through various productivity and AI-enhanced tools. This operation targets a broad range of sectors, including manufacturing, government, healthcare, technology, and retail. Infections have been reported across Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region, with countries such as India, the U.S., France, Italy, and Brazil experiencing the highest number of cases. Security researchers emphasize that the swift and expansive distribution across multiple regions points to an active and evolving threat campaign currently in circulation.
The attackers behind this EvilAI campaign are described as “highly capable” due to their proficiency in disguising malware within functional applications. They achieve this by making applications appear authentic, complete with professional-looking interfaces and valid digital signatures. Additionally, they employ disposable companies to obtain signing certificates, with older signatures often revoked to maintain a facade of legitimacy over a prolonged period.
The ultimate objective of the EvilAI campaign is multifaceted, focusing on conducting extensive reconnaissance, exfiltrating sensitive browser data, and establishing persistent, encrypted communication with command-and-control (C2) servers. This allows attackers to receive commands and deploy additional harmful payloads discreetly. The propagation methods used are diverse, including newly registered websites that mimic legitimate vendor portals, malicious advertisements, search engine optimization (SEO) manipulation, and promoted download links on forums and social media platforms.
EvilAI primarily functions as a “stager,” a component designed to gain initial access, establish a foothold on the infected system, and prepare it for further malicious activities. Efforts are made to enumerate installed security software and hinder analysis, making detection and subsequent investigation more challenging. Rather than relying on obviously malicious files, these trojans impersonate real software to evade detection in both corporate and personal environments, often gaining persistent access before raising any suspicion. This dual-purpose approach ensures that the user’s expectations of a functional application are met, further reducing the likelihood of suspicion.
Specific Malware and Delivery Mechanisms
Several applications have been identified as part of this distribution method, including AppSuite, Epi Browser, JustAskJacky, Manual Finder, OneStart, PDF Editor, Recipe Lister, and Tampered Chef. Further analysis by G DATA has indicated that the threat actors behind OneStart, ManualFinder, and AppSuite are the same, sharing server infrastructure for distribution and configuration.
“They have been peddling malware disguised as games, print recipe, recipe finder, manual finder, and lately, adding the buzzword ‘AI’ to lure users,” noted security researcher Banu Ramakrishnan. Expel, the cybersecurity company, has also reported that developers behind the AppSuite and PDF Editor campaigns have utilized at least 26 code-signing certificates issued to companies in various locations over the past seven years to lend an air of legitimacy to their software. Expel tracks this malware under the name BaoLoader, distinguishing it from TamperedChef due to differences in behavior and certificate patterns.
BaoLoader is primarily a backdoor, granting operators the ability to execute arbitrary commands on a system, with a focus on advertising fraud. The actors behind this malware often act as affiliate distributors for legitimate software but use the backdoor to install these applications. The applications observed include browser extensions and residential proxies. Expel has reached out to the organizations whose software is being installed. EvilAI is considered a broader category that encompasses BaoLoader and other malware strains, suggesting a potentially larger, interconnected infrastructure where individual malware campaigns possess their own developers, delivery mechanisms, and objectives.
The TamperedChef malware, first identified as a malicious recipe application, establishes a stealthy communication channel with a remote server to receive commands for data theft. TRUESEC also tracks TamperedChef as BaoLoader, highlighting a core backdoor component facilitating advertising fraud. While TamperedChef has used code-signing certificates from Ukraine and Great Britain, BaoLoader consistently employs certificates from Panama and Malaysia.
Additionally, Field Effect and GuidePoint Security have uncovered more digitally signed binaries masquerading as calendar and image viewer tools that leverage the NeutralinoJS desktop framework to execute arbitrary JavaScript code and exfiltrate sensitive data. These applications deploy the original TamperedChef malware. The use of NeutralinoJS allows for covert file system access, process spawning, and network communication, while Unicode homoglyphs are employed to encode payloads within API responses, bypassing string-based detection. The presence of multiple code-signing publishers suggests a shared malware-as-a-service provider or a code-signing marketplace facilitating broad distribution. The TamperedChef campaign exemplifies the evolution of threat actor delivery mechanisms through weaponizing potentially unwanted applications, abusing digital code signing, and deploying covert encoding techniques to bypass endpoint defenses.
Update: Attackers Pivot to New Decoy Applications
In a follow-up report, WithSecure stated that the operators of the AppSuite PDF Editor responded to prior disclosures by releasing “clean” versions of the application that removed data-stealing features but still connected to attacker-controlled infrastructure. As defenders began detecting and blocking AppSuite PDF Editor, the threat actors pivoted to another decoy application named S3-Forge, which is reportedly under active development. The TamperedChef campaign demonstrates a high level of planning and execution, from acquiring code-signing certificates and developing legitimate-looking applications to running targeted ad campaigns. The impact is significant, with anyone who installed the compromised AppSuite PDF Editor expected to assume their browser-stored credentials are at risk.