EvilAI Malware Campaign Targets Global Organizations with AI-Enhanced Stealth Tactics
Summary
Hide โฒ
Show โผ
A threat actor is using AI-enhanced malware to infiltrate organizations worldwide. The campaign, dubbed EvilAI, has infected hundreds of victims across multiple sectors, including manufacturing, government, and healthcare. The malware is concealed within seemingly legitimate productivity and AI-enhanced apps, leveraging digital signatures and realistic features to avoid detection. The malware performs extensive reconnaissance and attempts to disable security products, setting the stage for future attacks. The malware is distributed through malicious advertisements and promoted links on search engines and social media. Once installed, it remains persistent on compromised systems and uses obfuscation techniques to evade detection. The campaign is ongoing and evolving, with new apps and tactics being deployed rapidly.
Timeline
-
11.09.2025 21:37 ๐ฐ 1 articles ยท โฑ 1d ago
EvilAI Malware Campaign Targets Global Organizations with AI-Enhanced Stealth Tactics
A threat actor is using AI-enhanced malware to infiltrate organizations worldwide. The campaign, dubbed EvilAI, has infected hundreds of victims across multiple sectors, including manufacturing, government, and healthcare. The malware is concealed within seemingly legitimate productivity and AI-enhanced apps, leveraging digital signatures and realistic features to avoid detection. The malware performs extensive reconnaissance and attempts to disable security products, setting the stage for future attacks. The malware is distributed through malicious advertisements and promoted links on search engines and social media. Once installed, it remains persistent on compromised systems and uses obfuscation techniques to evade detection. The campaign is ongoing and evolving, with new apps and tactics being deployed rapidly.
Show sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
Information Snippets
-
The EvilAI campaign has infected organizations in the US, India, the UK, Germany, France, Brazil, and other regions.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
-
The malware is concealed within apps like App Suite, Epi Browser JustAskJacky, Manual Finder, and Tampered Chef.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
-
The apps feature realistic and functional interfaces to appear legitimate.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
-
The malware uses AI-generated code to evade antivirus and threat detection tools.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
-
The apps are digitally signed with certificates from newly registered entities.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
-
The malware performs extensive reconnaissance and attempts to disable security products from Bitdefender, Kaspersky, and Fortinet.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
-
The malware uses obfuscation techniques such as control flow flattening and anti-analysis loops.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
-
The malware is distributed through malicious advertisements and promoted links on search engines and social media.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
-
The malware remains persistent on compromised systems using schedule task triggers and registry manipulation.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
-
The campaign is ongoing and evolving, with new apps and tactics being deployed rapidly.
First reported: 11.09.2025 21:37๐ฐ 1 source, 1 articleShow sources
- AI-Enhanced Malware Sports Super-Stealthy Tactics โ www.darkreading.com โ 11.09.2025 21:37
Similar Happenings
HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344
A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.
WhatsApp Zero-Day Exploited in Targeted Spyware Campaign
A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users. Apple has also sent multiple threat notifications since 2021, alerting users in over 150 countries about these sophisticated attacks. Apple has introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities. The spyware market has seen an increase in U.S. investors and new entities in various countries.