Multiple ransomware gangs are disguising their malicious software as AI tools: fake ChatGPT, InVideo, and other installers plant destructive malware, a new report by Cisco Talos has warned.
Cisco Talos has identified several cyber threats using popular AI camouflage to lure their victims.
Cybercrooks using CyberLock ransomware, a relatively new strain discovered in February 2025, created a lookalike fake AI solution, masquerading as the original “novaleads.app” website, which is a lead monetization platform for businesses.
The hackers called their malicious clone “novaleadsai[.]com” and manipulated search engines to place their website in the top search results. If an unsuspecting victim downloads the “product” with an offer of free access for 12 months, the ZIP archive unpacks an executable “NovaLeadsAI.exe”, which is a loader for deploying ransomware.
It encrypts the targeted files using AES, appends the file extension .cyberlock to the encrypted files, and leaves a ransom note demanding $50,000 in Monero cryptocurrency. The lengthy ransom note even claims the payment will aid humanitarian efforts in various regions.
Another threat actor has been distributing “ChatGPT 4.0 full version – Premium.exe.” However, the victims actually install Lucky_Gh0$t ransomware, a variant of Yashma ransomware, which itself is a sixth successor in the Chaos ransomware series.
Victims find their files encrypted, and volume shadow copies and backups deleted.
“Lucky_Gh0$t targets files on the victim machine that are approximately less than 1.2GB in size and encrypts the files with the RSA-encrypted AES key, appending a 4-digit random alphanumeric characters as the file extension,” Cisco Talos researchers said in a report.
Yet another threat actor disseminates destructive malware called “Numero,” which is designed to imitate InVideo AI, an AI video creation tool. InVideo AI is an online platform widely used for marketing videos and other social media content.
Running the fake installer drops a malicious component, which deploys and continuously runs the Numero malware on the victim’s machine. Numero is not ransomware but rather a Windows manipulator malware that monitors the victim's computer, hijacks and corrupts the graphical user interface, making the device unusable.
Cybernews has previously reported on numerous instances of cybercriminals exploiting the AI trend for profit. Hackers advertise fake AI video generators on Facebook, fake ChatGPT browser extensions pilfer Facebook accounts, and experts warn about fake video generators becoming glowing bait.
“As AI continues to propel multiple industry sectors forward, malicious actors are exploiting its popularity by distributing a range of malware disguised as AI solutions’ installers and tools,” Cisco Talos explained.
The researchers warn that hackers use various techniques and channels to distribute fraudulent installers. SEO-poisoning tactics and malvertising manipulate search engine rankings, and hackers often abuse Telegram and other social media messengers.
“As a result, unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” the report warns.
“Organizations and users must exercise extreme caution, meticulously verify sources, and rely exclusively on reputable vendors to avoid falling prey to these threats.”
Your email address will not be published. Required fields are markedmarked