Black Hat SEO Poisoning Search Engine Results for AI to Distribute Malware

    Date: 06/30/2025

    Severity: High

    Summary

    Our researchers recently identified AI-themed websites being used to distribute malware. Threat actors are leveraging the popularity of tools like ChatGPT and Luma AI to lure users. These malicious sites, often built on WordPress, are optimized to rank in search engines and attract traffic. When visited, they use JavaScript to initiate redirection chains that deliver malware like Vidar, Lumma, and Legion Loader.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    chat-gpt-5.ai

    luma-ai.com

    krea-ai.com

    llama-2.com

    https://guildish.com/diagnostics.php

    metalsyo.digital

    ironloxp.live

    navstarx.shop

    starcloc.bet

    advennture.top

    targett.top

    spacedbv.world

    Galxnetb.today

    y.p.formaxprime.co.uk

    e.p.formaxprime.co.uk

    h.p.formaxprime.co.uk

    p.p.formaxprime.co.uk

    d.p.formaxprime.co.uk

    s.p.formaxprime.co.uk

    r.p.formaxprime.co.uk

    t.p.formaxprime.co.uk

    e.x.formaxprime.co.uk

    steamcommunity.com/profiles/76561199832267488

    Hash : 

    C957ADB29755E586EE022244369C375D 

    14642E8FFD81298F649E28DC046D84BB 

    FFDAACB43C074A8CB9A608C612D7540B 

    3583E0CC8F78FD1E65F307D2D8471AD2 

    C53eaf734ecc1d81c241ea2ab030a87e

    758625d112c04c094f96afc40eafa894

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs : 

    domainname like "advennture.top" or url like "advennture.top" or siteurl like "advennture.top" or domainname like "spacedbv.world" or url like "spacedbv.world" or siteurl like "spacedbv.world" or domainname like "Galxnetb.today" or url like "Galxnetb.today" or siteurl like "Galxnetb.today" or domainname like "llama-2.com" or url like "llama-2.com" or siteurl like "llama-2.com" or domainname like "navstarx.shop" or url like "navstarx.shop" or siteurl like "navstarx.shop" or domainname like "t.p.formaxprime.co.uk" or url like "t.p.formaxprime.co.uk" or siteurl like "t.p.formaxprime.co.uk" or domainname like "h.p.formaxprime.co.uk" or url like "h.p.formaxprime.co.uk" or siteurl like "h.p.formaxprime.co.uk" or domainname like "chat-gpt-5.ai" or url like "chat-gpt-5.ai" or siteurl like "chat-gpt-5.ai" or domainname like "ironloxp.live" or url like "ironloxp.live" or siteurl like "ironloxp.live" or domainname like "e.x.formaxprime.co.uk" or url like "e.x.formaxprime.co.uk" or siteurl like "e.x.formaxprime.co.uk" or domainname like "d.p.formaxprime.co.uk" or url like "d.p.formaxprime.co.uk" or siteurl like "d.p.formaxprime.co.uk" or domainname like "luma-ai.com" or url like "luma-ai.com" or siteurl like "luma-ai.com" or domainname like "e.p.formaxprime.co.uk" or url like "e.p.formaxprime.co.uk" or siteurl like "e.p.formaxprime.co.uk" or domainname like "krea-ai.com" or url like "krea-ai.com" or siteurl like "krea-ai.com" or domainname like "p.p.formaxprime.co.uk" or url like "p.p.formaxprime.co.uk" or siteurl like "p.p.formaxprime.co.uk" or domainname like "targett.top" or url like "targett.top" or siteurl like "targett.top" or domainname like "https://guildish.com/diagnostics.php" or url like "https://guildish.com/diagnostics.php" or siteurl like "https://guildish.com/diagnostics.php" or domainname like "metalsyo.digital" or url like "metalsyo.digital" or siteurl like "metalsyo.digital" or domainname like "starcloc.bet" or url like "starcloc.bet" or siteurl like "starcloc.bet" or domainname like "y.p.formaxprime.co.uk" or url like "y.p.formaxprime.co.uk" or siteurl like "y.p.formaxprime.co.uk" or domainname like "s.p.formaxprime.co.uk" or url like "s.p.formaxprime.co.uk" or siteurl like "s.p.formaxprime.co.uk" or domainname like "r.p.formaxprime.co.uk" or url like "r.p.formaxprime.co.uk" or siteurl like "r.p.formaxprime.co.uk" or domainname like "steamcommunity.com/profiles/76561199832267488" or url like "steamcommunity.com/profiles/76561199832267488" or siteurl like "steamcommunity.com/profiles/76561199832267488"

    Hash : 

    md5hash IN ("14642E8FFD81298F649E28DC046D84BB","C957ADB29755E586EE022244369C375D","FFDAACB43C074A8CB9A608C612D7540B","3583E0CC8F78FD1E65F307D2D8471AD2","C53eaf734ecc1d81c241ea2ab030a87e","758625d112c04c094f96afc40eafa894")

    Reference:    

    https://www.zscaler.com/blogs/security-research/black-hat-seo-poisoning-search-engine-results-ai-distribute-malware#introduction


    Tags

    MalwareBlack HatChatGPTLuma AIVidarLummaLEGION LOADER

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags