Warning: Fake AI Tools Spread CyberLock Ransomware and Numero Destructive Malware
Do Son 
Image: Cisco Talos
As artificial intelligence continues to revolutionize industries, cybercriminals are exploiting the growing demand for AI-driven tools by embedding malware in fake software installers. According to a recent report from Cisco Talos, a series of ransomware and destructive malware campaigns are targeting users searching for AI solutions—masquerading as legitimate downloads.
“Cisco Talos has discovered new threats, including the ransomware CyberLock, Lucky_Gh0$t, and a newly-discovered malware we call ‘Numero,’ all of which masquerade as legitimate AI tool installers,” the report warns.
These attacks employ a wide range of evasion and deception techniques, including SEO poisoning, Telegram distribution, and social engineering to lure unsuspecting users.
CyberLock is a PowerShell-based ransomware embedded in a .NET loader posing as a legitimate AI sales tool called NovaLeadsAI.
“The threat actor deceitfully claims in the ransom note that the payments will be allocated for humanitarian aid in various regions, including Palestine, Ukraine, Africa and Asia,” the report states.
Victims are persuaded to download a fake AI installer hosted at a lookalike domain, novaleadsai[.]com. Upon execution, the embedded loader deploys the CyberLock ransomware, encrypting files and demanding $50,000 in Monero, split between two wallets for obfuscation.
CyberLock:
- Targets a wide range of files from documents to source code
- Uses AES encryption and appends the .cyberlock extension
- Drops a ransom note (“ReadMeNow.txt”) and changes the desktop wallpaper
- Erases free disk space using Windows’ cipher.exe to prevent recovery
Lucky_Gh0$t, a variant of the Yashma ransomware, is disguised as “ChatGPT 4.0 full version – Premium.exe” and delivered in a self-extracting archive. Alongside legitimate open-source Microsoft AI tools, the archive contains a ransomware executable designed to avoid detection.
Victims receive a ransom note instructing them to use the GetSession secure messenger platform for negotiations.
Cisco Talos also uncovered Numero, a new destructive malware pretending to be an installer for the video content platform InVideo AI.
Compiled in January 2025, Numero continuously monitors and manipulates the victim’s desktop GUI using Windows APIs like GetDesktopWindow, EnumChildWindows, and SendMessageW. The malware is designed to render systems unusable by corrupting GUI elements and locking the user in an infinite loop.
It also checks for popular debugging tools (e.g., IDA, x64dbg, Immunity Debugger) to evade analysis.
These malicious campaigns primarily target professionals in:
- B2B Sales
- Technology and Marketing
- Content Creation and Development
The threat actors distribute their malware via:
- SEO poisoning (to rank fake download sites high on search engines)
- Telegram and social messengers
- Legitimate-looking archives with real software to evade antivirus
“Unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” the report warns.
The abuse of AI tool branding marks a disturbing trend in the malware landscape. These campaigns leverage the credibility of emerging technologies to trick even experienced users into executing malicious payloads.
Related Posts:
- Destructive npm Packages Deleting Files, Hijacking Frameworks for 2+ Years
- Neptune RAT: Advanced Malware Targets Windows with Destructive Capabilities
- Microsoft Announces Critical Change to .NET Installer Distribution Domains
- Prince Ransomware Hits UK and US via Royal Mail Phishing Scam
- Cracked Software: A Gateway to Malware and Data Theft
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
