EvilAI malware activity spreading through fake AI apps
Malware Activity
Summary
Hide ▲
Show ▼
EvilAI is a global malware activity that uses fake AI and productivity apps to infect organizations across Europe, the Americas, and AMEA. The campaign has been associated with TamperedChef, which Acronis says is part of a broader set of attacks using AI-related lures and bogus installers to spread malware. Recent reporting says the activity remains ongoing, with new artifacts still being detected and associated infrastructure still active. The operators use malicious ads, SEO manipulation, abused digital certificates, and scheduled-task-launched obfuscated JavaScript backdoors to establish persistence and enable remote access, with infections concentrated in the U.S. and additional activity in Israel, Spain, Germany, India, and Ireland. The malware family has been observed using code-signing certificates issued to shell companies in the U.S., Panama, and Malaysia to make counterfeit installers appear legitimate. Once users search for software or manuals, they may be routed from search results or poisoned links to booby-trapped domains, where the installer drops a task that launches the backdoor in the background. The reported objectives remain mixed, including advertising fraud, possible resale of access, and potential data theft for underground monetization. Healthcare, construction, and manufacturing are described as the most affected sectors.
Related Happenings
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Timeline
-
11.09.2025 21:37 4 articles · 8mo ago
Trend Micro discloses EvilAI malware campaign
Initial DisclosureTrend Micro identifies the EvilAI malware campaign using legit-looking AI and productivity apps to infect organizations across manufacturing, government, healthcare, and other sectors in the US, India, the UK, Germany, France, Brazil, and beyond. The malicious apps use names such as App Suite, Epi Browser JustAskJacky, Manual Finder, Tampered Chef, and Recipe Maker, rely on digital signatures from newly registered entities, and are designed to evade detection while carrying out reconnaissance, terminating Microsoft Edge and Chrome, attempting to disable Bitdefender, Kaspersky, and Fortinet, and maintaining persistence through scheduled tasks, registry manipulation, obfuscation, and encrypted C2 communication as a stager for future payloads.
Show sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics — www.darkreading.com — 11.09.2025 21:37
- AI-Enhanced Malware Sports Super-Stealthy Tactics — www.darkreading.com — 11.09.2025 21:37
- EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations — thehackernews.com — 29.09.2025 19:36
- TamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign — thehackernews.com — 20.11.2025 06:06