EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations

• A new malware campaign, dubbed EvilAI, is being used by threat actors to disguise malicious software as legitimate AI or productivity tools, enabling it to infiltrate organizations across the globe.

• The campaign affects many sectors, including manufacturing, government, healthcare, technology, and retail, and has been observed in regions such as Europe, the Americas, and the Asia-Middle East-Africa (AMEA) region

• Some of the masqueraded tools include “AppSuite,” “Epi Browser,” “PDF Editor,” “OneStart,” “Manual Finder,” “Tampered Chef,” and others—tools that seem innocent or beneficial but carry hidden malicious behavior.

• The attackers use professional-looking interfaces and valid digital signatures (from disposable or short-lived companies) to make the software appear trustworthy and bypass detection.

• EvilAI acts as a stager—its goal is to gain initial access, persist in the system, perform reconnaissance (e.g. enumerate security software), exfiltrate sensitive data (such as browser data), and maintain encrypted, real-time communications with command-and-control (C2) servers via AES encryption.

• Distribution methods include:

  1. Creating new websites that mimic vendor portals

  2. Malicious ads

  3. SEO manipulation

  4. Promoted download links on forums and social media

• Some associated campaigns (e.g., AppSuite, OneStart, ManualFinder) share infrastructure and possibly a common developer or malware-as-a-service provider.

• The use of code-signing certificates from various countries (e.g., Panama, Malaysia) further helps the malware to seem legitimate.

• The article also notes that the malware uses advanced techniques like Unicode homoglyphs (to obfuscate strings) and embedding payloads in seemingly benign API responses, making signature-based detection harder

More details on  The Hacker News