Threats are Disguised by Cybercriminals as Installers of AI Tools
Shorts:
- Cisco Talos has identified new threats that pose as genuine installers of AI tools, such as the ransomware CyberLock, Lucky_Gh0$t, and a recently found cybercriminals malware we name “Numero.”
- The main goal of the PowerShell-created CyberLock ransomware is to encrypt particular files on the victim’s computer. In the ransom message, the threat actor falsely states that the money will be used to provide humanitarian assistance in Palestine, Ukraine, Africa, and Asia, among other places.
- With only a few changes to the ransomware binary, the Lucky_Gh0$t ransomware is another variation of the Yashma ransomware, the sixth version of the Chaos ransomware series.
- Numero, a recently discovered harmful malware, renders PCs totally unusable by interfering with the graphical user interface (GUI) components of its victims’ Windows operating systems.
Through automation, data-driven decision-making, and improved consumer interactions, artificial intelligence (AI) has become more prevalent across a range of business verticals, transforming entire industries. However, as AI continues to advance in a number of industry areas, bad actors are taking advantage of its widespread use by disseminating a variety of viruses masquerading as tools and installers for AI solutions.
Threat actors are using a range of methods and platforms to spread these fake installers, such as social media messengers or Telegram, as well as SEO poisoning strategies to skew search engine rankings so that their malicious websites or download links show up at the top of search engine results.
As a result, gullible companies looking for AI solutions could be tricked into installing fake tools that include malware. This conduct is dangerous because it not only jeopardizes financial assets and private company information but also erodes confidence in genuine AI market solutions. To prevent becoming victims of these risks, businesses and users must be extremely cautious, carefully check their sources, and only employ reliable vendors.
The CyberLock and Lucky_Gh0$t ransomware families, as well as a recently discovered destructive malware known as “Numero,” are among the threats the organization has lately discovered circulating in the open under the guise of AI solutions. The fact that the genuine versions of these AI technologies are especially well-liked in the B2B sales space, as well as the technology and marketing sectors, suggests that people and businesses in these areas are especially vulnerable to these malevolent threats.
CyberLock ransomware
In order to impersonate the original website domain, “novaleads.app,” which is a lead monetization platform that helps businesses maximize the value of their leads through a variety of services and performance-based models, the organization saw a threat actor create a lookalike fake AI solution website with the domain “novaleadsai[.]com.”
Figure 1. Fake website advertising the AI tool.
The actor uses the promise of free tool access for the first 12 months and then a $95 monthly membership to entice consumers to download the software from the phony website. Additionally, the threat actor employed an SEO manipulation approach that caused their phony website to rank highly in online search engine results.
A .NET executable with the file name “NovaLeadsAI.exe” is included when a user downloads the phony AI product in a ZIP package. The phony domain “novaleadsai[.]com” was formed on February 2, 2025, the same day the executable was generated.
The loader that contains the CyberLock ransomware PowerShell script embedded as a resource file is called “NovaLeadsAI.exe.” The ransomware is released when the victim launches the loader program.
Figure 2. Snippet of the CyberLock ransomware loader.
CyberLock ransom note
As early as February 2025, the CyberLock ransomware seemed to be in operation. According to the ransom note, the threat actor has complete access to private files, critical corporate documents, and sensitive databases and is requesting a large payment in return for the decryption keys. In order to contact the threat actor, victims are advised to send an email to “cyberspectreislocked@onionmail[.]org.”
By making false claims that the ransom money will be utilized for humanitarian relief in places like Palestine, Ukraine, Africa, and Asia, the CyberLock threat actor uses psychological tactics to demand that the USD $50,000 ransom be paid only in Monero (XMR) cryptocurrency. To make tracking more difficult for defenders, the actor divides the payment into two distinct wallets.
By threatening to reveal stolen data if money is not received within three days, the ransom note is used to coerce and scare victims. However, the organization has found no indication that the ransomware malware had any data exfiltration capabilities.
Figure 3. CyberLock ransom note.
CyberLock, the PowerShell ransomware
PowerShell is used to write the CyberLock ransomware, which is then encoded with C # code and sent to victims as a .NET loader resource.
Upon running CyberLock, the PowerShell window is first hidden using the GetConsoleWindow method from kernel32.dll and the ShowWindow function from user32.dll. After decrypting the encrypted public key, it creates a secret and utilizes it to determine the AES key and IV during the encryption procedure.
Figure 4. Snippet of CyberLock ransomware.
If CyberLock isn’t already operating in an elevated environment, it can elevate privileges and re-execute itself with administrative privileges.
Figure 5. Snippet of CyberLock ransomware.
The logical partitions’ folders and files with the names “C:\,” “D:\,” and “E:\” are listed by CyberLocker. It adds the file extension “.cyberlock” to the encrypted files after encrypting the targeted files with AES.
Figure 6. Snippet of CyberLock ransomware.
Below are the categories and the targeted file extensions:
| Category | File Extensions |
| Text Documents | .txt, .doc, .docx, .odt, .rtf, .md, .rst, .tex, .sty |
| Spreadsheets | .xls, .xlsx, .ods, .csv, .tsv |
| Presentations | .ppt, .pptx, .odp, .potx, .ppsx |
| PDF & eBooks | .pdf, .pdfx, .epub, .mobi, .azw, .azw3, .chm, .hlp |
| Images | .jpg, .jpeg, .png, .gif, .bmp, .tiff, .raw, .svg, .jfif, .ico, .webp |
| Audio | .mp3, .wav, .ogg, .aac, .flac, .m4a, .m4b, .caf, .mp3g |
| Video | .avi, .mp4, .mov, .mkv, .wmv, .webm, .3gp, .flv, .m4v, .vob, .mts, .m2ts, .ts, .mxf, .divx, .mpeg, .mpg, .ram, .rm |
| Archives & Disk Images | .zip, .rar, .7z, .tar, .gz, .xz, .tar.gz, .tar.bz2, .iso, .iso9660, .img, .dmg, .cdr, .zipx, .cab, .zpaq, .seam, .rar5 |
| Executables & Scripts | .exe, .bat, .cmd, .sh, .ps1, .vbs, .js, .appx, .apk, .ipa, .deb, .rpm, .whl |
| Code & Programming | .html, .css, .scss, .xml, .json, .yaml, .cfg, .sql, .pl, .rb, .py, .lua, .h, .c, .cpp, .m, .swift, .java, .asm, .psm1 |
| Database Files | .sql, .mdb, .accdb, .db, .sqlite, .sqlitedb, .db3, .sqlite3 |
| System & Config | .log, .bak, .tmp, .swp, .ini, .plist, .xmlrpc, .dsk, .xcv |
| Fonts | .ttf, .otf, .woff, .woff2, .eot, .pfb |
| Design & Graphics | .ai, .psd, .indd, .eps, .fla, .swf |
| Backup & Virtual Machine | .vhd, .vmdk, .qcow2, .gho, .vpb |
| GIS & Maps | .gpx, .kml, .shp |
| Other Files | .torrent, .bup, .ifo, .bin, .dll, .msi, .sys, .qif, .pages, .key, .numbers, .rdata, .seed, .3dxml, .kdbx |
CyberLock encrypts the targeted files and then uses the file name “ReadMeNow.txt” to create a ransom message on the victim’s desktop. The ransomware PowerShell script uses embedded strings to write the contents of the ransom letter into it.
The company has noticed that after dropping the ransom note, the ransomware actor changes the desktop wallpaper on the victim’s computer. A header picture from a cybersecurity organization’s blog post is downloaded by the threat actor and placed in the temporary apps folder of the victim’s machine user profile. After that, they use PowerShell instructions to activate the wallpaper and set the registry entry “Wallpaper” to the path of the downloaded image. Moreover, the organization is unsure of the actor’s motivation for using a security research blog post header picture as the victim’s desktop wallpaper.
Figure 7. Snippet of CyberLock ransomware.
Figure 8. Sample blog post header wallpaper.
Lastly, CyberLock blocks the forensic recovery of erased files by erasing free space on the victim’s hard disk partitions using the living-off-the-land binary (LoLBin) “cipher.exe” with the “/w” option.
Figure 9. Command execution to wipe the hard drive’s free space.
A built-in Windows command-line utility for controlling file and folder encryption is called “Cipher.exe.” By using the “/w” option to overwrite vacant space, users can prevent the recovery of lost files. Microsoft created this for justifiable reasons, such as safely erasing disks before relocating them or adhering to data protection regulations to guarantee that private information cannot be recovered by unauthorized individuals.
This feature is frequently abused by threat actors to erase their harmful footprints or permanently erase files from target computers. Researchers at Volexity pointed out that a Russian APT had previously used this strategy in their attacks. In addition to that, the organization hasn’t seen any evidence linking this behavior to the activity detailed in earlier reports.
Lucky_Gh0$t ransomware as a fake ChatGPT installer
In the wild, the organization has found a threat actor spreading the Lucky_Gh0$t ransomware, which was packaged as “ChatGPT 4.0 full version – Premium.exe” in a self-extracting archive (SFX) ZIP installation.
The Lucky_Gh0$t ransomware program, which mimics the genuine Microsoft executable “dwm.exe,” was found in a subdirectory included in the malicious SFX installation. Additionally, the folder included official Microsoft open-source AI tools for developers and data scientists working with AI, especially in the Azure ecosystem, which are accessible on their GitHub repository. By posing as a valid package, the threat actor’s goal in adding legitimate tools in the SFX archive is probably to avoid being detected by anti-malware file scanners.
When a victim launches the malicious SFX installer file, the SFX script starts the ransomware.
Figure 10. Malicious SFX executable contents.
The Yashma ransomware variation known as Lucky_Gh0$t ransomware retains the majority of its characteristics, such as evasion tactics, the ability to erase volume shadow copies and backups, and encryption methods using AES-256 and RSA-2048. In addition, the organization has noticed a few small changes to the Lucky_Gh0$t code, including specific file size constraints that the ransomware must take into account when encrypting.
Using the RSA-encrypted AES key, Lucky_Gh0$t encrypts files on the victim’s computer that are roughly less than 1.2GB in size and adds a 4-digit random alphanumeric character as the file extension. The following file categories are targeted for encryption:
- Text, code, and config files
- Microsoft Office and Adobe files
- Media formats and images
- Archives and installers
- Backup and database files
- Android package kit, Java Server Pages, and Active Server Pages
- Certificate files
- Visual Studio Solutions and PostScripts
Figure 11. Lucky_Gh0$t encryption function for files less than 1.2 GB.
The ransomware generates a new file of the same size as the original file and adds the single character “?” as the file content for the targeted files that are larger than 1.2 GB. It acts destructively by erasing the original file and appending a 4-digit random alphanumeric character file extension to the new one.
Figure 12. Lucky_Gh0$t encryption function for files larger than 1.2GB.
The victims of the Lucky_Gh0$t ransomware receive a personal ID in their ransom note. The victims are instructed to use an encrypted messenger platform at “getsession[.]org” with a unique session ID to contact the threat actor for additional communication regarding ransom payment and decryption.
Figure 13. Lucky_Gh0$t ransom note.
Numero pretending to be an AI video creation tool
Talos, the organization that has identified all the loopholes, recently discovered a new destructive malware in the wild that we call “Numero,” designed to imitate the AI video creation tool installer, InVideo AI. InVideo AI is an online platform widely used for marketing videos, social media content, explainer videos, and presentations. The threat actor impersonates the product and the organization’s names in the malicious file’s metadata.
Figure 14. A fake installer execution flow running the payload Numero.
A malicious Windows batch file, VB script, and the Numero executable with the file name “wintitle.exe” are all contained in the phony installer, which is a dropper. The malicious components are dropped in a folder located in the application’s temporary folder of the local user profile when the victim launches the phony installer. The dumped Windows batch file is then run indefinitely using the Windows shell. It launches the Numero virus first, then uses cscript to run the VB script, stopping the execution for 60 seconds.
The batch file stops the Numero malware process and continues its execution after it has resumed. The Numero malware runs continually on the victim’s computer by incorporating an infinite loop into the batch file.
Figure 15. Malicious Windows BAT loader.
Numero’s actions are in line with malware that manipulates Windows. Numero was compiled on January 24, 2025, and is a 32-bit Windows executable developed in C++.
The processes handled by several malware analysis tools and debuggers, such as IDA, x64 debugger, x32 debugger, ollydbg, scylla, windbg, reshacker, ImportREC, Immunity debugger, Zeta debugger, and Rock debugger, are checked by many to avoid analysis.
Figure 16. Snippet of the Numero function and the malicious thread.
The thread is created and run indefinitely by a variety of malware. Through the use of the Windows APIs GetDesktopWindow, EnumChildWindows, and SendMessageW, the thread code communicates with the Windows GUI and modifies the victim’s desktop window. It continuously checks the victim machine’s desktop window and connects to the child window that was made there. Numero corrupts the victim’s computer to the point that it is unusable by overwriting the window title, buttons, and contents with the numeric string “1234567890.”
Figure 17. Corrupted Windows Run terminal.
Coverage
The following is a list of ways our customers can identify and stop this danger.
Indicators of Compromise
IOCs for this threat can be found in our GitHub repository here.
Do You Want To Start A Career in Cybersecurity? | Join Craw Security
Craw Security, which is the sister vertical of News4Hackers, believes in delivering only quality cybersecurity best practices under the prime supervision of world-class cybersecurity professionals with the best of experiences throughout the nation. In case someone wishes to start a fantastic career in cybersecurity under the prime observation of superb training professionals, one can quickly apply for the demo session and book a seat in the upcoming recent batches at Craw Security’s international-standard institutional branches at Saket and Laxmi Nagar in Delhi NCR. To do so, an interested person can nicely call +91-9513805401 and have a word with our fantastic group of study consultants with many years of expertise.
Our counselors will guide you through every query you have in your mind and provide you with the best piece of career counseling advice. Thus, rather than waiting for more time, you may call us at your earliest convenience to book a demo session at the given number, +91-9513805401.
Read More :
The Negative Side of AI: Phishing Scams Have Become Smarter and Dangerous, According To Reports
About Author
English