Fake AI Tools Are the New Trojan Horse: Why SMBs Must Stay Vigilant
As artificial intelligence (AI) tools rapidly enter the mainstream of business and marketing workflows, cybercriminals are taking full advantage. Recent threat intelligence highlights a troubling new trend: fake installers for popular AI tools are being weaponized to deliver ransomware and other malware.
At the center of these campaigns are counterfeit versions of widely used platforms like ChatGPT and InVideo AI. These fake downloads are infecting users
with malware strains such as CyberLock, Lucky_Gh0$t, and a newly discovered wiper called Numero—posing serious risks for small and midsized businesses (SMBs) with limited IT resources.
The Lure of Fake AI Tools
Cybercriminals are spinning up deceptive websites that mimic legitimate AI platforms. One example: novaleadsai[.]com, which impersonates a real lead monetization service. These fake sites use SEO manipulation to appear legitimate, drawing in users who are often simply looking to boost productivity with AI.
Instead of getting a useful tool, the victim downloads a ZIP archive that hides a malware loader. For instance, the fake NovaLeadsAI.exe launches CyberLock ransomware, which encrypts files and demands cryptocurrency as ransom.
Behind the Malware
CyberLock Ransomware
Targets specific files for encryption, issues a $50,000 Monero ransom, and wipes unused disk space to prevent recovery—all while pushing a false humanitarian narrative.
Lucky_Gh0$t Ransomware
Disguises itself as a legitimate system file. It targets small files, deletes backups, and communicates through encrypted messaging apps.
Numero Malware
Masquerades as an InVideo AI installer and cripples Windows machines by looping distorted processes to make systems unusable.
AI as a Malware Delivery Channel
Fake AI apps are quickly becoming a new attack vector. A campaign discovered by Mandiant revealed how attackers used fake ads on Facebook and LinkedIn to promote AI tools that served as delivery mechanisms for the STARKVEIL malware suite.
Victims were lured to cloned websites, where they unknowingly downloaded a Rust-based dropper that installed multiple threats:
-
GRIMPULL – A TOR-enabled downloader for encrypted payloads
-
FROSTRIFT – A backdoor focused on browser-based password and crypto theft
-
XWorm – A remote access trojan with keylogging and screen capture capabilities
-
COILHATCH – A Python-based component for stealth execution via DLL side-loading
What This Means for SMBs
SMBs are often the most vulnerable to this kind of attack—not because of negligence, but because of limited staff, unclear policies, and the fast pace of AI adoption. Teams eager to harness AI for customer service, content creation, or operations may unknowingly open the door to malware, data loss, and regulatory exposure.
Most small businesses don’t have the in-house resources to detect unauthorized AI usage—or to know whether internal data is already being exposed to AI platforms.
Recommendations for SMBs
-
Avoid downloading AI tools from unofficial sources or third-party sites.
-
Educate employees on spotting fake AI apps and websites.
-
Keep endpoint detection and response (EDR) solutions updated and tuned for PowerShell or script-based threats.
-
Enforce application control and restrict unauthorized software downloads.
-
Conduct regular awareness training on AI security risks and hygiene.
-
Audit your organization’s use of AI tools to uncover unknown usage or data exposure risks.
Final Thoughts
AI has created powerful new business opportunities—but it has also created new vulnerabilities. The growing use of AI in everyday business means that SMBs can no longer afford to treat it as just another tool. It’s now part of the cybersecurity landscape.
If you’re unsure what AI tools are in use across your company—or whether proprietary or client data may have been exposed—Blackswan AIE (Audit, Inventory, Expunge) AI exposure protection can help. From uncovering shadow AI usage to coordinating data deletion requests, we help SMBs take back control.
Want peace of mind? Call us today: 855.BLK.SWAN (855-255-7926)
Contact us to schedule a no-cost consultation or learn how AIE can help safeguard your business from invisible AI risks.