Cybercriminals are exploiting the growing demand for artificial intelligence solutions by disguising ransomware within legitimate-looking AI business tools, according to recent security research.
This emerging threat specifically targets small businesses and entrepreneurs seeking to integrate AI capabilities into their operations, creating a dangerous intersection between innovation adoption and cyber threats.
The sophisticated campaigns discovered by security researchers involve malware hidden behind software packages that mimic popular services including ChatGPT, Nova Leads, and InVideo AI.
These attacks pose a dual threat by not only compromising sensitive business data and financial assets but also undermining trust in legitimate AI market solutions, potentially slowing business adoption of beneficial technologies.
Malwarebytes analysts identified several distinct attack patterns within these campaigns, revealing the calculated nature of these operations.
The threat actors have demonstrated particular sophistication in their approach, utilizing search engine optimization poisoning techniques to ensure their malicious websites rank prominently in relevant search results, making them more likely to deceive unsuspecting victims.
In one notable case, cybercriminals created a counterfeit website closely resembling Nova Leads, a legitimate lead monetization service, offering a fake “Nova Leads AI” product with supposed free access for twelve months.
When users downloaded this software, the CyberLock ransomware was deployed instead, demanding $50,000 in cryptocurrency while falsely claiming the payments would support humanitarian causes in Palestine, Ukraine, and other regions.
Similarly, attackers distributed Lucky_Gh0$t ransomware through a file labeled “ChatGPT 4.0 full version – Premium.exe,” which contained legitimate Microsoft open-source AI tools as an evasion technique.
Infection Mechanism Analysis
The technical execution of these attacks reveals sophisticated social engineering combined with advanced evasion techniques.
The fake ChatGPT installer particularly demonstrates this complexity by incorporating authentic Microsoft AI tools within the malicious package, creating a hybrid executable that can bypass traditional antivirus detection methods.
This approach allows the ransomware to establish persistence while appearing legitimate during initial security scans, highlighting the evolving sophistication of modern ransomware distribution mechanisms.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
Source: cybersecuritynews.com
