EvilAI global AI/productivity-tool malware campaign
Campaign
Summary
Hide ▲
Show ▼
The EvilAI campaign is using legitimate-looking AI and productivity tools to distribute malware across Europe, the Americas, and AMEA, creating broad risk of initial access, browser-data theft, and follow-on payload delivery. It has affected manufacturing, government, healthcare, technology, and retail organizations, with infections reported in India, the U.S., France, Italy, Brazil, Germany, the U.K., Norway, Spain, and Canada. The operation relies on vendor-mimicking sites, malicious ads, SEO manipulation, and social-media/forum download lures to entice installs and then maintain encrypted C2 communication.
Related Happenings
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityAbout this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
PurpleBravo Contagious Interview campaign
Campaign
First: 21.01.2026 19:17
Last: 21.01.2026 19:17
Sources 1
About this happening:
The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
PurpleBravo Contagious Interview campaign
CampaignAbout this happening: The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
Campaign
First: 16.01.2026 14:05
Last: 16.01.2026 14:05
Sources 1
About this happening:
The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
CampaignAbout this happening: The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
TamperedChef global malvertising campaign
Campaign
First: 20.11.2025 06:06
Last: 20.11.2025 06:06
Sources 1
About this happening:
The **TamperedChef** campaign is actively using **bogus installers** and **malvertising** to deliver malware, putting users searching for software downloads or product manuals at...
TamperedChef global malvertising campaign
CampaignAbout this happening: The **TamperedChef** campaign is actively using **bogus installers** and **malvertising** to deliver malware, putting users searching for software downloads or product manuals at...
EvilAI malware activity spreading through fake AI apps
Malware Activity
First: 11.09.2025 21:37
Last: 11.09.2025 21:37
Sources 1
How related:
"EvilAI disguises itself as productivity or AI-enhanced tools, with professional-looking interfaces and valid digital signatures that make it difficult for users and security tools to distinguish it from legitimate software,"
About this happening:
**EvilAI** is a **global malware activity** that uses **fake AI and productivity apps** to infect organizations across **Europe, the Americas, and AMEA**. The campaign has been as...
EvilAI malware activity spreading through fake AI apps
Malware ActivityHow related: "EvilAI disguises itself as productivity or AI-enhanced tools, with professional-looking interfaces and valid digital signatures that make it difficult for users and security tools to distinguish it from legitimate software,"
About this happening: **EvilAI** is a **global malware activity** that uses **fake AI and productivity apps** to infect organizations across **Europe, the Americas, and AMEA**. The campaign has been as...
Timeline
-
29.09.2025 19:36 2 articles · 8mo ago
EvilAI campaign disclosed as global malware operation
Initial DisclosureTrend Micro identifies EvilAI as a global malware campaign that uses seemingly legitimate AI and productivity tools such as AppSuite, Epi Browser, JustAskJacky, Manual Finder, OneStart, PDF Editor, Recipe Lister, and Tampered Chef to distribute malware across Europe, the Americas, and AMEA. The campaign targets manufacturing, government, healthcare, technology, and retail organizations, and uses lookalike vendor portals, malicious ads, SEO manipulation, and promoted download links to install stagers that establish persistence, collect browser data, and maintain AES-encrypted command-and-control communication.
Show sources
- EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations — thehackernews.com — 29.09.2025 19:36
- EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations — thehackernews.com — 29.09.2025 19:36