CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Cybercriminals exploit Lovable vibe coding service for malicious websites

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Cybercriminals are increasingly abusing the Lovable vibe coding service to create malicious websites for phishing attacks, crypto scams, and other threats. Proofpoint researchers have identified tens of thousands of Lovable URLs involved in malicious activities since February 2025. The service, launched in late 2024, has been used to generate convincing and effective websites in minutes, lowering the barrier of entry into cybercrime. Lovable, based in Stockholm, Sweden, has been targeted by multiple campaigns leveraging its AI-powered platform to distribute MFA phishing kits, malware, and phishing kits targeting credit card and personal information. The company has responded by implementing new security protections, including Security Checker 2.0, an AI-powered platform safety program, and taking down hundreds of malicious domains. Since February, cybersecurity company Proofpoint observed tens of thousands of Lovable URLs that were delivered in email messages and were flagged as threats. Four malicious campaigns have been identified, including a large-scale operation using the phishing-as-a-service platform Tycoon, a payment and data theft campaign impersonating UPS, a cryptocurrency theft campaign impersonating Aave, and a malware delivery campaign distributing the remote access trojan zgRAT. Additionally, DPRK hackers have leveraged ClickFix-style lures to deliver BeaverTail and InvisibleFerret malware, targeting marketing and trader roles in cryptocurrency and retail sector organizations. The campaign uses a fake hiring platform web application created using Vercel to distribute the malware, which is delivered in the form of a compiled binary for Windows, macOS, and Linux systems.

Timeline

  1. 21.08.2025 01:11 1 articles · 1mo ago

    Lovable implements new security measures to combat abuse

    Lovable introduced real-time detection of malicious site creation in July and automatically scans published projects daily to spot and delete any fraud attempts. The platform blocks approximately 1,000 unique projects that violate its rules each day. In the past two weeks, Lovable's support and safety team has taken down over 300 sites that violated its policies. The company plans to introduce additional protections this fall to proactively identify and block abusive accounts on the platform.

    Show sources
    Open in new tab
  2. 21.08.2025 00:00 2 articles · 1mo ago

    Cybercriminals exploit Lovable vibe coding service for malicious websites

    Cybercriminals have been abusing the Lovable vibe coding service to create malicious websites for phishing attacks, crypto scams, and other threats. Proofpoint researchers identified tens of thousands of Lovable URLs involved in malicious activities since February 2025. The service, launched in late 2024, has been used to generate convincing and effective websites in minutes, lowering the barrier of entry into cybercrime. Lovable has responded by implementing new security protections, including Security Checker 2.0 and an AI-powered platform safety program, and taking down hundreds of malicious domains. Since February, cybersecurity company Proofpoint observed tens of thousands of Lovable URLs that were delivered in email messages and were flagged as threats. Four malicious campaigns have been identified, including a large-scale operation using the phishing-as-a-service platform Tycoon, a payment and data theft campaign impersonating UPS, a cryptocurrency theft campaign impersonating Aave, and a malware delivery campaign distributing the remote access trojan zgRAT.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android Trojan named Klopatra has been identified, capable of performing unauthorized bank transfers while the device is inactive. The malware targets users in Italy and Spain, with over 3,000 devices infected. Klopatra disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. It employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. The Trojan operates during nighttime hours, draining victims' bank accounts without alerting them. Klopatra uses Accessibility Services to gain extensive control over the device, allowing attackers to simulate user interactions remotely. It captures screenshots, records screen activity, and overlays fake login screens to steal credentials. The malware checks for device inactivity and charging status before executing its operations, ensuring the victim remains unaware until the next day. The malware is operated by a Turkish-speaking criminal group as a private botnet, with 40 distinct builds discovered since March 2025. The malware integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. Klopatra features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. The malware supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. Klopatra uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

Discovery of MalTerminal Malware Leveraging GPT-4 for Ransomware and Reverse Shell

Researchers have identified MalTerminal, a malware that incorporates GPT-4 for generating ransomware code and reverse shells. This marks the earliest known instance of LLM-embedded malware. The malware was presented at the LABScon 2025 security conference. MalTerminal was likely a proof-of-concept or red team tool, never deployed in the wild. It includes Python scripts and a defensive tool called FalconShield. The use of LLMs in malware represents a new challenge for cybersecurity defenses. Additionally, threat actors are using LLMs to bypass email security layers by embedding hidden prompts in phishing emails. This technique deceives AI-powered security scanners, allowing malicious emails to reach users' inboxes. The emails exploit the Follina vulnerability (CVE-2022-30190) to deliver additional malware and disable Microsoft Defender Antivirus. AI-powered site builders are also being exploited to host fake CAPTCHA pages leading to phishing websites, stealing user credentials and sensitive information.

Open in new tab

TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks

TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.

Open in new tab

Raven Stealer Exfiltrates Chromium Data via Telegram

Raven Stealer, a new lightweight infostealer, targets Chromium-based browsers and other applications to steal credentials and sensitive data. It uses Telegram for exfiltration, evading conventional security filters. The malware is distributed via underground forums and cracked software, posing a threat to both personal and enterprise environments. It operates with minimal user interaction and maintains a high level of operational concealment. Raven Stealer harvests cookies, autofill entries, browsing history, and other data from Chromium-based browsers like Google Chrome and Microsoft Edge. It also steals credentials from other applications and performs real-time data exfiltration via integration with a Telegram bot. The malware is promoted via a dedicated Telegram channel, integrating the chat app for command-and-control operations.

Open in new tab