EvilAI Malware Campaign Exploits Trust in AI Tools to Infiltrate Global Industries
Ddos 
Trend Micro researchers have uncovered a sophisticated malware campaign dubbed EvilAI, which disguises itself as productivity and AI-enhanced tools to infiltrate organizations worldwide. With its professional-looking interfaces, valid digital signatures, and even functional features, EvilAI has already achieved a global footprint, targeting critical industries such as manufacturing, government, and healthcare.
According to Trend Micro, βEvilAI disguises itself as productivity or AI-enhanced tools, with professional-looking interfaces and valid digital signatures that make it difficult for users and security tools to distinguish it from legitimate software.β
Rather than mimicking existing popular brands, attackers create plausible but generic application names such as App Suite, Epi Browser, Manual Finder, and Recipe Lister. These fake apps deliver on their promises with basic functionality, lulling users into a false sense of security while a hidden payload exfiltrates sensitive data.
Trend researchers explain that βthese trojans mimic the appearance of real software to go unnoticed into both corporate and personal environments, often gaining persistent access before raising any suspicion.β
In just the first week of telemetry (starting August 29, 2025), Trend detected widespread infections across multiple regions. βEvilAI infections have appeared globally, with the highest impact in Europe, the Americas, and the AMEA region.β
- Europe: 56 incidents
- Americas: 29 incidents
- AMEA (Asia, Middle East, Africa): 29 incidents
Country-level data reveals the top 10 affected nations:
- India (74 cases)
- United States (68 cases)
- France (58 cases)
- Italy (31 cases)
- Brazil (26 cases)
- Germany (23 cases)
- United Kingdom (14 cases)
- Norway (10 cases)
- Spain (10 cases)
- Canada (8 cases)
Industries hardest hit include manufacturing (58 cases), government/public services (51 cases), and healthcare (48 cases). Technology, retail, and education sectors have also been impacted, demonstrating EvilAIβs non-selective targeting.
EvilAI operates as a trojan that blends stealth, persistence, and AI-driven evasion:
- Fake Software Functionality β Provides real features to avoid suspicion.
- Code-Signing Abuse β Uses or misuses valid digital certificates to appear legitimate.
- Node.js Payload Execution β Hidden JavaScript payloads run via node.exe, enabling covert execution.
- Persistence Mechanisms β Creates scheduled tasks (e.g., sys_component_health_{UID}) and registry Run keys (PDFEditorUpdater) to survive reboots.
- Credential Theft β Duplicates sensitive Chrome and Edge profile files, storing copies as βWeb Data Syncβ and βPreferences Sync.β
- Anti-Analysis & Obfuscation β Employs MurmurHash3 anti-analysis loops, Unicode string encoding, and dynamic code construction to thwart reverse engineering.
- Encrypted C2 Communication β Maintains βencrypted, real-time communication with its command-and-control servers using AES-encrypted channels to receive attacker commands and deploy additional payloads.β
A troubling aspect of EvilAI is its use of AI-generated code to appear benign. Trend warns: βIncreasingly, attackers are leveraging AI tools to generate malware code that looks clean and legitimate, allowing it to evade detection by traditional security solutions.β
For example, the malware βJustAskJackyβ employed AI to produce realistic code, complicating detection by static scanners.
EvilAIβs sophistication and global spread suggest the involvement of a highly capable threat actor. The campaignβs combination of functional decoy apps, AI-generated evasion, and strong persistence makes it one of the most dangerous malware families observed in 2025.
Trend Micro stresses that βthe early victimology confirms that EvilAI is a broad and indiscriminate campaign, already achieving significant global impact within a short tracking window. If left unchecked, this trajectory suggests the potential for rapid escalation in scope and severity.β
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
