AI Hype Exploited: Black Hat SEO Campaign Poisons Search Results to Deliver Vidar, Lumma & Legion Stealers
Ddos 
Example AI-themed website designed to lure victims into installing malware | Image: Zscaler
Zscaler ThreatLabz researchers have uncovered an elaborate malware campaign that weaponizes the popularity of artificial intelligence (AI) tools like ChatGPT and Luma AI. By exploiting search engine algorithms, cybercriminals are hijacking top search results to lure users into malware traps using Black Hat SEO techniques.
“The threat actors behind these attacks are exploiting the popularity of AI tools like ChatGPT and Luma AI,” Zscaler warns. These deceptive campaigns have been active since at least January 2025, delivering high-profile malware including Vidar Stealer, Lumma Stealer, and Legion Loader to unsuspecting victims.
The campaign begins with poisoned search engine results for trending AI-related keywords. When users search for queries like “Luma AI blog,” they are likely to see malicious sites ranking among the top results. Once clicked, these AI-themed websites execute JavaScript-based redirection chains that ultimately lead to malware delivery.
“Threat actors are using Black Hat SEO to poison search engine rankings for AI keywords to spread malware,” the report explains.
The JavaScript scripts used in this scheme are hosted on AWS CloudFront, a legitimate CDN platform that makes the attacks appear authentic and difficult to detect.
Once a user lands on one of the fake AI websites, JavaScript code collects their browser data—like version, screen resolution, user agent, and cookies. This information is then encrypted with a randomly generated XOR key and transmitted to the attacker’s server, getrunkhomuto[.]info, a domain observed in over 4.4 million hits since the start of 2025.
“The domain getrunkhomuto[.]info is a vital component in the redirection chain.”
Based on this data, the victim is redirected through multiple intermediate pages to either a malware payload or, in some cases, adware and PUAs for alternative monetization.
Victims are served a password-protected ZIP file containing an 800MB NSIS installer designed to evade detection. Inside are misleading .docm files that are not documents but components of a malware delivery chain. Upon execution, these files generate AutoIT-based loaders that ultimately deploy Vidar or Lumma Stealer.
“To evade detection, the threat actors implement antivirus checks… to detect and terminate specific antivirus processes running on the victim’s system.”
Targeted antivirus programs include Quick Heal, Webroot, Sophos, BitDefender, Avast, AVG, Norton Security, and ESET.
The delivery chain for Legion Loader is similarly complex. Victims are led to download a ZIP archive that contains another password-protected ZIP and an image revealing the password. The final payload, an MSI file, installs decoy applications while executing malicious DLLs through DLL sideloading and process hollowing.
“In this version of Legion Loader, the DataUploader DLL… collects key information… and transmits it to the C2 server.”
Eventually, a malicious DLL injects shellcode into a hollowed instance of explorer.exe, executing a browser extension designed to steal cryptocurrency.
To avoid detection, the attackers’ scripts first check for the presence of ad blockers or DNS guards using an extensive list of known adblock filter names. If any are detected, the redirection to malware is halted.
“If any of the ad blocker names are found, then the JavaScript will not redirect users to the malware download page.”
This stealth measure ensures only susceptible users are funneled into the final malware delivery phase.
Related Posts:
- Beware of Fake KMSPico Activators: A Gateway for Vidar Stealer Malware
- Vidar Stealer Hides in Legitimate BGInfo Tool
- Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains
- MaaS in Action: How Lumma Stealer Employs Advanced Delivery Techniques
- AI-Generated Malware: TikTok Videos Push Infostealers with PowerShell Commands
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
