Date: 08/25/2025
Severity: High
Summary
Threat actors are increasingly leveraging an AI-powered website generation platform to create fraudulent websites used for credential phishing and malware distribution. These actors are building or duplicating sites that mimic well-known brands, incorporating CAPTCHA challenges to evade detection, and exfiltrating stolen credentials via Telegram. The entry barrier for cybercriminals has significantly dropped. One such tool, an AI-based website builder called Lovable, is being widely used by cybercriminals to host phishing, malware, and scam websites. Security teams have identified numerous campaigns utilizing Lovable to deploy multifactor authentication (MFA) phishing kits like Tycoon, distribute malware such as cryptocurrency wallet drainers and loaders, and launch phishing attacks aimed at harvesting credit card details and other personal information.
Indicators of Compromise (IOC) List
Domains \ URLs : | https://ups-flow-harvester.lovable.app/ https://app-54124296d32502.lovable.app/ https://captcha-office-redirect.lovable.app/ https://33eq8.oquvzop.es/CFTvqhHpUgs@x/ https://aave-reward-notification.lovable.app/ https://reward-aave.us/web3/ http://lexware-invoice-deutsch-popup.lovable.app/ http://www.dropbox.com/scl/fi/i6n7wcxpfi366wn46qngu/DE0019902001000RE.rar?rlkey=ec07od5o0p41q02cq7e3kp5iq&st=7k1wp1ao&dl=1 |
IP Address : | 84.32.41.163 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains \ URLs : | domainname like "http://www.dropbox.com/scl/fi/i6n7wcxpfi366wn46qngu/DE0019902001000RE.rar?rlkey=ec07od5o0p41q02cq7e3kp5iq&st=7k1wp1ao&dl=1" or url like "http://www.dropbox.com/scl/fi/i6n7wcxpfi366wn46qngu/DE0019902001000RE.rar?rlkey=ec07od5o0p41q02cq7e3kp5iq&st=7k1wp1ao&dl=1" or siteurl like "http://www.dropbox.com/scl/fi/i6n7wcxpfi366wn46qngu/DE0019902001000RE.rar?rlkey=ec07od5o0p41q02cq7e3kp5iq&st=7k1wp1ao&dl=1" or domainname like "https://ups-flow-harvester.lovable.app/" or url like "https://ups-flow-harvester.lovable.app/" or siteurl like "https://ups-flow-harvester.lovable.app/" or domainname like "https://reward-aave.us/web3/" or url like "https://reward-aave.us/web3/" or siteurl like "https://reward-aave.us/web3/" or domainname like "http://lexware-invoice-deutsch-popup.lovable.app/" or url like "http://lexware-invoice-deutsch-popup.lovable.app/" or siteurl like "http://lexware-invoice-deutsch-popup.lovable.app/" or domainname like "https://app-54124296d32502.lovable.app/" or url like "https://app-54124296d32502.lovable.app/" or siteurl like "https://app-54124296d32502.lovable.app/" or domainname like "https://33eq8.oquvzop.es/CFTvqhHpUgs@x/" or url like "https://33eq8.oquvzop.es/CFTvqhHpUgs@x/" or siteurl like "https://33eq8.oquvzop.es/CFTvqhHpUgs@x/" or domainname like "https://captcha-office-redirect.lovable.app/" or url like "https://captcha-office-redirect.lovable.app/" or siteurl like "https://captcha-office-redirect.lovable.app/" or domainname like "https://aave-reward-notification.lovable.app/" or url like "https://aave-reward-notification.lovable.app/" or siteurl like "https://aave-reward-notification.lovable.app/" |
IP Address : | dstipaddress IN ("84.32.41.163") or srcipaddress IN ("84.32.41.163") |
Reference:
https://www.proofpoint.com/us/blog/threat-insight/cybercriminals-abuse-ai-website-creation-app-phishing