AI-Generated Code and Fake Apps Used for Far-Reaching Attacks
Essential information
- Published
- 12/09/2025 07:38
- Modified
- 12/09/2025 08:32
- Tags
- 2025-09-12 ai-generated code command and control credential-theft evilai fake applications node.js obfuscation persistence trojan
- Related entities
- 14 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 malware, 19 others
Description
A new malware campaign called EvilAI is spreading globally by disguising itself as legitimate AI-enhanced productivity tools. The malware uses AI-generated code and professional interfaces to evade detection, targeting organizations across sectors like manufacturing, government, and healthcare. It exploits Node.js to execute malicious JavaScript, establishes persistence through scheduled tasks and registry modifications, and communicates with command-and-control servers using encrypted channels. EvilAI enumerates installed software, terminates browser processes, and duplicates credential data. It employs sophisticated obfuscation and anti-analysis techniques to hinder reverse engineering. The malware acts as an initial access vector, potentially deploying additional payloads. This campaign highlights how AI is being weaponized to create increasingly stealthy and adaptive malware threats.