The EvilAI campaign exploits trusted applications to spread malicious software

Threat actors have begun using seemingly legitimate artificial intelligence tools to distribute malware, affecting various industries such as manufacturing, government, and health in countries like the U.S., India, and several European nations. This campaign, known as EvilAI, is an active and evolving effort in which attackers disguise malicious software as productivity tools or AI-enhanced applications.

The great danger for all types of organizations

Cybercriminals use professional interfaces and valid digital signatures to make these applications appear legitimate, making it difficult for users and security tools to detect them. Among the distributed programs are AppSuite, Epi Browser, and PDF Editor, which act as vehicles to conduct extensive reconnaissance and exfiltrate sensitive data from the victims’ browsers.

The propagation techniques are diverse and include the use of newly registered websites that mimic provider portals, malicious advertising, and SEO manipulation to promote download links on forums and social media. Some attacks have been facilitated with certificates from companies in Panama and Malaysia, and it has been documented that malware developers have used multiple certificates to make their software appear legitimate over the years.

Recent investigations have revealed that the actors behind applications like OneStart and ManualFinder share the same server infrastructure, suggesting a malware-as-a-service model. Additionally, advanced techniques such as Unicode encoding and the use of the NeutralinoJS framework are being employed to conceal malicious activities and evade detection.

This remarkable approach to camouflage and evasion capabilities has allowed attackers to gain access to systems, raising alarms about the increasing sophistication of digital threats and the exploitation of user trust.