AI Tool Impersonations Fuel Surge in Malware and Ransomware Attacks

by jdpoteet | Jul 1, 2025 | News, Blogs

Fake AI Tools Are the New Trojan Horse: Why SMBs Must Stay Vigilant

As artificial intelligence (AI) tools rapidly enter the mainstream of business and marketing workflows, cybercriminals are taking full advantage. Recent threat intelligence highlights a troubling new trend: fake installers for popular AI tools are being weaponized to deliver ransomware and other malware.

At the center of these campaigns are counterfeit versions of widely used platforms like ChatGPT and InVideo AI. These fake downloads are infecting users with malware strains such as CyberLock, Lucky_Gh0$t, and a newly discovered wiper called Numero—posing serious risks for small and midsized businesses (SMBs) with limited IT resources.

The Lure of Fake AI Tools

Cybercriminals are spinning up deceptive websites that mimic legitimate AI platforms. One example: novaleadsai[.]com, which impersonates a real lead monetization service. These fake sites use SEO manipulation to appear legitimate, drawing in users who are often simply looking to boost productivity with AI.

Instead of getting a useful tool, the victim downloads a ZIP archive that hides a malware loader. For instance, the fake NovaLeadsAI.exe launches CyberLock ransomware, which encrypts files and demands cryptocurrency as ransom.

Behind the Malware

CyberLock Ransomware

Targets specific files for encryption, issues a $50,000 Monero ransom, and wipes unused disk space to prevent recovery—all while pushing a false humanitarian narrative.

Lucky_Gh0$t Ransomware

Disguises itself as a legitimate system file. It targets small files, deletes backups, and communicates through encrypted messaging apps.

Numero Malware

Masquerades as an InVideo AI installer and cripples Windows machines by looping distorted processes to make systems unusable.

AI as a Malware Delivery Channel

Fake AI apps are quickly becoming a new attack vector. A campaign discovered by Mandiant revealed how attackers used fake ads on Facebook and LinkedIn to promote AI tools that served as delivery mechanisms for the STARKVEIL malware suite.

Victims were lured to cloned websites, where they unknowingly downloaded a Rust-based dropper that installed multiple threats:

• GRIMPULL – A TOR-enabled downloader for encrypted payloads

• FROSTRIFT – A backdoor focused on browser-based password and crypto theft

• XWorm – A remote access trojan with keylogging and screen capture capabilities

• COILHATCH – A Python-based component for stealth execution via DLL side-loading

What This Means for SMBs

SMBs are often the most vulnerable to this kind of attack—not because of negligence, but because of limited staff, unclear policies, and the fast pace of AI adoption. Teams eager to harness AI for customer service, content creation, or operations may unknowingly open the door to malware, data loss, and regulatory exposure.

Most small businesses don’t have the in-house resources to detect unauthorized AI usage—or to know whether internal data is already being exposed to AI platforms.

Recommendations for SMBs

• Avoid downloading AI tools from unofficial sources or third-party sites.

• Educate employees on spotting fake AI apps and websites.

• Keep endpoint detection and response (EDR) solutions updated and tuned for PowerShell or script-based threats.

• Enforce application control and restrict unauthorized software downloads.

• Conduct regular awareness training on AI security risks and hygiene.

• Audit your organization’s use of AI tools to uncover unknown usage or data exposure risks.

Final Thoughts

AI has created powerful new business opportunities—but it has also created new vulnerabilities. The growing use of AI in everyday business means that SMBs can no longer afford to treat it as just another tool. It’s now part of the cybersecurity landscape.

If you’re unsure what AI tools are in use across your company—or whether proprietary or client data may have been exposed—Blackswan AIE (Audit, Inventory, Expunge) AI exposure protection can help. From uncovering shadow AI usage to coordinating data deletion requests, we help SMBs take back control.

Want peace of mind? Call us today: 855.BLK.SWAN (855-255-7926)
Contact us to schedule a no-cost consultation or learn how AIE can help safeguard your business from invisible AI risks.

REFERENCES

• https://thehackernews.com/2025/05/cybercriminals-target-ai-users-with.html
• https://vulners.com/thn/THN:ECE6C0F3493028688195C64C3C47741F

Catching the Uncatchable: How Blackswan MDR + Open XDR Stops Advanced Threats Like Fog Ransomware

by jdpoteet | Jun 19, 2025 | News, Blogs

What Happened in the Fog Ransomware Attack?

In May 2025, a financial institution in Asia was hit by a Fog ransomware campaign that involved more than just encryption and extortion. The attackers spent two weeks inside the network, leveraging a mix of legitimate admin tools, open-source pentesting utilities, and espionage techniques. Key tools included:

• GC2: A command-and-control tool previously linked to China’s APT41, using Google Drive and SharePoint for stealthy data exfiltration.
• Syteca: A legitimate employee monitoring tool repurposed for keylogging and screen capture.
• Adaptix C2, Stowaway, PsExec, SMBExec: For lateral movement, persistence, and post-exploitation.
• Freefilesync and MegaSync: For fast, quiet data exfiltration.

The campaign blended espionage tactics with ransomware deployment—suggesting this wasn’t just about money. It was about persistence, stealth, and data access.

Why This Should Worry You—Even If You’re Not a Global Bank

While this attack targeted a financial organization, it mirrors what we see in U.S. education, local government, and credit union environments every day. These industries often lack the internal resources to monitor complex, blended attacks—making them prime targets for threat actors using these exact methods.

How Blackswan MDR + Open XDR Stops This Threat Pattern Cold

Blackswan Cybersecurity’s 24/7 Managed Detection & Response (MDR) and Open XDR platform (powered by Stellar Cyber) are purpose-built for detecting advanced tactics like those used in the Fog attack.

✅ High-Fidelity Ingestion: Our platform integrates logs, telemetry, and endpoint signals from across your environment—no blind spots. We’d catch GC2’s abnormal communication paths, even when disguised as SharePoint traffic.
✅ Anomaly Detection: Lateral movement via PsExec or unusual service creation? Flagged instantly by our AI-driven correlation engine.
✅ Threat Intelligence Correlation: Tools like Adaptix and Stowaway are already mapped to known attacker TTPs in our XDR engine, thanks to continuous threat intel updates.
✅ Expert Human Analysis: Every alert is reviewed by trained analysts—ensuring we catch what automation can’t and minimize false positives.
✅ Rapid Incident Response: If something slips through, we don’t wait. Our MDR team responds fast—containing threats before they cause disruption or data loss.

We Regularly Catch Attacks Like This

Whether it starts with a phishing email, vulnerable server, or abused VPN credentials, our MDR + XDR stack turns complex, multi-tool attacks into manageable signals. This isn’t just theoretical—it’s how we catch threats before encryption starts and while attackers are still moving laterally.

We’re proud to protect school districts, government agencies, and credit unions from the very threats making headlines—without overwhelming their internal teams.

Ready to See It in Action?
Let’s talk about how Blackswan Cybersecurity can help your organization detect and defeat advanced attacks—before they turn into a breach.