Date: 06/30/2025
Severity: High
Summary
Our researchers recently identified AI-themed websites being used to distribute malware. Threat actors are leveraging the popularity of tools like ChatGPT and Luma AI to lure users. These malicious sites, often built on WordPress, are optimized to rank in search engines and attract traffic. When visited, they use JavaScript to initiate redirection chains that deliver malware like Vidar, Lumma, and Legion Loader.
Indicators of Compromise (IOC) List
Domains\URLs : | chat-gpt-5.ai luma-ai.com krea-ai.com llama-2.com https://guildish.com/diagnostics.php metalsyo.digital ironloxp.live navstarx.shop starcloc.bet advennture.top targett.top spacedbv.world Galxnetb.today y.p.formaxprime.co.uk e.p.formaxprime.co.uk h.p.formaxprime.co.uk p.p.formaxprime.co.uk d.p.formaxprime.co.uk s.p.formaxprime.co.uk r.p.formaxprime.co.uk t.p.formaxprime.co.uk e.x.formaxprime.co.uk steamcommunity.com/profiles/76561199832267488 |
Hash : | C957ADB29755E586EE022244369C375D
14642E8FFD81298F649E28DC046D84BB
FFDAACB43C074A8CB9A608C612D7540B
3583E0CC8F78FD1E65F307D2D8471AD2
C53eaf734ecc1d81c241ea2ab030a87e
758625d112c04c094f96afc40eafa894
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | domainname like "advennture.top" or url like "advennture.top" or siteurl like "advennture.top" or domainname like "spacedbv.world" or url like "spacedbv.world" or siteurl like "spacedbv.world" or domainname like "Galxnetb.today" or url like "Galxnetb.today" or siteurl like "Galxnetb.today" or domainname like "llama-2.com" or url like "llama-2.com" or siteurl like "llama-2.com" or domainname like "navstarx.shop" or url like "navstarx.shop" or siteurl like "navstarx.shop" or domainname like "t.p.formaxprime.co.uk" or url like "t.p.formaxprime.co.uk" or siteurl like "t.p.formaxprime.co.uk" or domainname like "h.p.formaxprime.co.uk" or url like "h.p.formaxprime.co.uk" or siteurl like "h.p.formaxprime.co.uk" or domainname like "chat-gpt-5.ai" or url like "chat-gpt-5.ai" or siteurl like "chat-gpt-5.ai" or domainname like "ironloxp.live" or url like "ironloxp.live" or siteurl like "ironloxp.live" or domainname like "e.x.formaxprime.co.uk" or url like "e.x.formaxprime.co.uk" or siteurl like "e.x.formaxprime.co.uk" or domainname like "d.p.formaxprime.co.uk" or url like "d.p.formaxprime.co.uk" or siteurl like "d.p.formaxprime.co.uk" or domainname like "luma-ai.com" or url like "luma-ai.com" or siteurl like "luma-ai.com" or domainname like "e.p.formaxprime.co.uk" or url like "e.p.formaxprime.co.uk" or siteurl like "e.p.formaxprime.co.uk" or domainname like "krea-ai.com" or url like "krea-ai.com" or siteurl like "krea-ai.com" or domainname like "p.p.formaxprime.co.uk" or url like "p.p.formaxprime.co.uk" or siteurl like "p.p.formaxprime.co.uk" or domainname like "targett.top" or url like "targett.top" or siteurl like "targett.top" or domainname like "https://guildish.com/diagnostics.php" or url like "https://guildish.com/diagnostics.php" or siteurl like "https://guildish.com/diagnostics.php" or domainname like "metalsyo.digital" or url like "metalsyo.digital" or siteurl like "metalsyo.digital" or domainname like "starcloc.bet" or url like "starcloc.bet" or siteurl like "starcloc.bet" or domainname like "y.p.formaxprime.co.uk" or url like "y.p.formaxprime.co.uk" or siteurl like "y.p.formaxprime.co.uk" or domainname like "s.p.formaxprime.co.uk" or url like "s.p.formaxprime.co.uk" or siteurl like "s.p.formaxprime.co.uk" or domainname like "r.p.formaxprime.co.uk" or url like "r.p.formaxprime.co.uk" or siteurl like "r.p.formaxprime.co.uk" or domainname like "steamcommunity.com/profiles/76561199832267488" or url like "steamcommunity.com/profiles/76561199832267488" or siteurl like "steamcommunity.com/profiles/76561199832267488" |
Hash : | md5hash IN ("14642E8FFD81298F649E28DC046D84BB","C957ADB29755E586EE022244369C375D","FFDAACB43C074A8CB9A608C612D7540B","3583E0CC8F78FD1E65F307D2D8471AD2","C53eaf734ecc1d81c241ea2ab030a87e","758625d112c04c094f96afc40eafa894")
|
Reference:
https://www.zscaler.com/blogs/security-research/black-hat-seo-poisoning-search-engine-results-ai-distribute-malware#introduction