Fake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero.
“CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim’s system,” Cisco Talos researcher Chetan Raghuprasad said in a report published today. “Lucky_Gh0$t ransomware is yet another variant of the Yashma ransomware, which is the sixth iteration of the Chaos ransomware series, featuring only minor modifications to the ransomware binary.”
Numero, on the other hand, is a destructive malware that impacts victims by manipulating the graphical user interface (GUI) components of their Windows operating system, thereby rendering the machines unusable.
The cybersecurity company said the legitimate versions of the AI tools are popular in the business-to-business (B2B) sales domain and the marketing sector, suggesting that individuals and organizations in these industries are the primary focus of the threat actors behind the campaign.
One such fake AI solution website is “novaleadsai[.]com,” which likely impersonates a lead monetization platform called NovaLeads. It’s suspected that the website is promoted via search engine optimization (SEO) poisoning techniques to artificially boost its rankings in online search engines.
Users are then urged to download the product by claiming to offer free access to the tool for the first year, with a monthly subscription of $95 thereafter. What gets actually downloaded is a ZIP archive containing a .NET executable (“NovaLeadsAI.exe”) that was compiled on February 2, 2025, the same day the bogus domain was created. The binary, for its part, acts as a loader to deploy the PowerShell-based CyberLock ransomware.
The ransomware is equipped to escalate privileges and re-execute itself with administrative permissions, if not already, and encrypts files located in the partitions “C:\,” “D:\,” and “E:\” that match a certain set of extensions. It then drops a ransom note demanding that a $50,000 payment be made in Monero into two wallets within three days.
In an interesting twist, the threat actor goes on to claim in the ransom note that the payments will be allocated to support women and children in Palestine, Ukraine, Africa, Asia, and other regions where “injustices are a daily reality.”
 |
| File extensions targeted by CyberLock ransomware |
“We ask you to consider that this amount is small in comparison to the innocent lives that are being lost, especially children who pay the ultimate price,” the note states. “Unfortunately, we have concluded that many are not willing to act voluntarily to help, which makes this the only possible solution.”
The last step involves the threat actor employing the living-off-the-land binary (LoLBin) “cipher.exe” with the “/w” option to remove available unused disk space on the entire volume in order to hinder the forensic recovery of deleted files.
Talos said it also observed a threat actor distributing the Lucky_Gh0$t ransomware under the guise of a fake installer for a premium version of ChatGPT.
“The malicious SFX installer included a folder that contained the Lucky_Gh0$t ransomware executable with the filename ‘dwn.exe,’ which imitates the legitimate Microsoft executable ‘dwm.exe,'” Raghuprasad said. “The folder also contained legitimate Microsoft open-source AI tools that are available on their GitHub repository for developers and data scientists working with AI, particularly within the Azure ecosystem.”
Should the victim run the malicious SFX installer file, the SFX script executes the ransomware payload. A Yashma ransomware variant, Lucky_Gh0$t targets files that are roughly less than 1.2GB in size for encryption, but not before deleting volume shadow copies and backups.
The ransom note dropped at the end of the attack includes a unique personal decryption ID and instructs victims to reach out to them via the Session messaging app for a ransom payment and to obtain a decryptor.
Last but not least, threat actors are also cashing in on the growing use of AI tools to seed the online landscape with a counterfeit installer for InVideo AI, an AI-powered video creation platform, to deploy a destructive malware codenamed Numero.
The fraudulent installer serves as a dropper containing three components: A Windows batch file, a Visual Basic Script, and the Numero executable. When the installer is launched, the batch file is run through the Windows shell in an infinite loop, which, in turn, executes Numero and then temporarily halts it for 60 seconds by running the VB script via cscript.
“After resuming the execution, the batch file terminates the Numero malware process and restarts its execution,” Talos said. “By implementing the infinite loop in the batch file, the Numero malware is continuously run on the victim machine.”
A 32-bit Windows executable written in C++, Numero checks for the presence of malware analysis tools and debuggers among running processes, and proceeds to overwrite the desktop window’s title, buttons, and contents with the numeric string “1234567890.” It was compiled on January 24, 2025.
The disclosure comes as Google-owned Mandiant revealed details of a malvertising campaign that utilizes malicious ads on Facebook and LinkedIn to redirect users to fake websites impersonating legitimate AI video generator tools like Luma AI, Canva Dream Lab, and Kling AI, among others.
The activity, which was also recently exposed by Morphisec and Check Point earlier this month, has been attributed to a threat cluster the tech giant tracks as UNC6032, which is assessed to have a Vietnam nexus. The campaign has been active since at least mid-2024.
The attack unfolds in this manner: Unsuspecting users who land on these websites are instructed to provide an input prompt to generate a video. However, as previously observed, the input doesn’t matter, as the main responsibility of the website is to initiate the download of a Rust-based dropper payload called STARKVEIL.
“[STARKVEIL] drops three different modular malware families, primarily designed for information theft and capable of downloading plugins to extend their functionality,” Mandiant said. “The presence of multiple, similar payloads suggests a fail-safe mechanism, allowing the attack to persist even if some payloads are detected or blocked by security defences.”
The three malware families are below –
- GRIMPULL, a downloader that uses a TOR tunnel to fetch additional .NET payloads that are decrypted, decompressed, and loaded into memory as .NET assemblies
- FROSTRIFT, a .NET backdoor that collects system information, details about installed applications, and scans for 48 extensions related to password managers, authenticators, and cryptocurrency wallets on Chromium-based web browsers
- XWorm, a known .NET-based remote access trojan (RAT) with features like keylogging, command execution, screen capture, information gathering, and victim notification via Telegram
STARKVEIL also serves as a conduit to launch a Python-based dropper codenamed COILHATCH that’s actually tasked with running the aforementioned three payloads via DLL side-loading.
“These AI tools no longer target just graphic designers; anyone can be lured in by a seemingly harmless ad,” Mandiant said. “The temptation to try the latest AI tool can lead to anyone becoming a victim.”
