Date: 04/30/2026
Severity: Medium
Summary
The increasing reliance on AI has led to a surge in AI-driven tools. However, these platforms can also be exploited for malicious purposes, as demonstrated in the case of Kuse.ai. While Kuse is generally regarded as a reliable workplace solution, threat actors continuously develop new social engineering tactics. In this instance, they carried out a phishing attack using a deceptive URL along with manipulated images. This highlights the need for organizations to reinforce security awareness training and regularly remind employees that a platform’s reputation does not ensure the legitimacy of its content.
Indicators of Compromise (IOC) List
Domains/URLs : | https://onlineapp.ooraikaoo.info/?auth2=8rf22euu-2nxkebabDjjILlzldhQq2Pz https://app.kuse.ai/sharednote/<victimcompany>%20S.L..md/shared_3049184.md https://app.kuse.ai/sharednote/ 3049184.md |
IP Address : | 91.92.41.64 |
Hostname : | onlineapp.ooraikaoo.info |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://app.kuse.ai/sharednote/<%>%20S.L..md/shared_3049184.md" or url like "https://app.kuse.ai/sharednote/<%>%20S.L..md/shared_3049184.md" or siteurl like "https://app.kuse.ai/sharednote/<%>%20S.L..md/shared_3049184.md" or domainname like "https://app.kuse.ai/sharednote/" or url like "https://app.kuse.ai/sharednote/" or siteurl like "https://app.kuse.ai/sharednote/" or domainname like "3049184.md" or url like "3049184.md" or siteurl like "3049184.md" |
Detection Query 2 : | dstipaddress IN ("91.92.41.64") or srcipaddress IN ("91.92.41.64") |
Reference:
https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html
https://otx.alienvault.com/pulse/69f2bd5a5c4c87a45d4c63cf