EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks

    Friday, September 12, 2025 In: Threat Research Print

    Date: 09/12/2025

    Severity: High

    Summary

    EvilAI disguises itself as legitimate productivity or AI tools, using professional interfaces and valid digital signatures to avoid detection. It has spread globally, with the greatest impact seen in Europe, the Americas, and the AMEA region. Targeted sectors include manufacturing, government/public services, and healthcare. The malware exfiltrates browser data and communicates with command servers via AES-encrypted channels. The team mitigates EvilAI threats by blocking IOCs and providing customers with threat hunting tools and intelligence.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    https://9mdp5f.com

    https://5b7crp.com

    https://mka3e8.com

    https://y2iax5.com

    https://abf26u.com

    Hash : 

    8ecd3c8c126be7128bf654456d171284f03e4f212c27e1b33f875b8907a7bc65

    49a4442e73521ecca8e56eb6dbc33f31eb7cfa5e62a499e552bcd29a29d79d8a

    b0c321d6e2fc5d4e819cb871319c70d253c3bf6f9a9966a5d0f95600a19c0983

    cb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c

    ad0655b17bbdbd8a7430485a10681452be94f5e6c9c26b8f92e4fcba291c225a

    95001359fb671d0e6d97f37bd92642cc993e517d2307f373bfa9893639f1a2bc

    9f369e63b773c06588331846dd247e48c4030183df191bc53d341fcc3be68851  

    cf45ab681822d0a4f3916da00abd63774da58eb7e7be756fb6ec99c2c8cca815

    ce834dca38aeac100f853d79e77e3f61c12b9d4da48bb0a949d0a961bf9c0a27

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs : 

    domainname like "https://5b7crp.com" or url like "https://5b7crp.com" or siteurl like "https://5b7crp.com" or domainname like "https://abf26u.com" or url like "https://abf26u.com" or siteurl like "https://abf26u.com" or domainname like "https://y2iax5.com" or url like "https://y2iax5.com" or siteurl like "https://y2iax5.com" or domainname like "https://mka3e8.com" or url like "https://mka3e8.com" or siteurl like "https://mka3e8.com" or domainname like "https://9mdp5f.com" or url like "https://9mdp5f.com" or siteurl like "https://9mdp5f.com" 

    Hash 

    sha256hash IN ("cb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c","b0c321d6e2fc5d4e819cb871319c70d253c3bf6f9a9966a5d0f95600a19c0983","cf45ab681822d0a4f3916da00abd63774da58eb7e7be756fb6ec99c2c8cca815","49a4442e73521ecca8e56eb6dbc33f31eb7cfa5e62a499e552bcd29a29d79d8a","8ecd3c8c126be7128bf654456d171284f03e4f212c27e1b33f875b8907a7bc65","ad0655b17bbdbd8a7430485a10681452be94f5e6c9c26b8f92e4fcba291c225a","9f369e63b773c06588331846dd247e48c4030183df191bc53d341fcc3be68851","95001359fb671d0e6d97f37bd92642cc993e517d2307f373bfa9893639f1a2bc","ce834dca38aeac100f853d79e77e3f61c12b9d4da48bb0a949d0a961bf9c0a27")

    Reference:    

    https://www.trendmicro.com/en_us/research/25/i/evilai.html


    Tags

    MalwareEvilAIFake softwareEuropeAmericaGovernment Services and FacilitiesCritical ManufacturingHealthcare and Public HealthAMEAExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.