Black Hat SEO Poisoning Search Engine Results For AI to Distribute Malware

MITRE Techniques

• [T1189] Drive-by Compromise – Malicious JavaScript embedded in fake AI blog sites executes code on the victim’s system (‘Malicious JavaScript embedded in fake AI blogs that executes code on the target’s system’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The NSIS installer runs batch scripts that remove malware if antivirus software is detected (‘The NSIS installer contains a batch script that deletes the malware if security products are detected’).
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell scripts are used during malware execution flows.
• [T1217] Browser Information Discovery – JavaScript collects browser version, resolution, user agent, and other fingerprinting data.
• [T1083] File and Directory Discovery – Malware performs discovery of files and directories on the infected host.
• [T1057] Process Discovery – Batch scripts identify running processes to prepare for execution of AutoIT payloads (‘Batch script to discover the process and start AutoIT’).
• [T1059.010] Command and Scripting Interpreter: AutoHotkey & AutoIT – AutoIT executes obfuscated scripts as part of the payload delivery.
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – The MSI installation sideloads malicious DLLs by running legitimate executables to load malicious code.
• [T1055] Process Injection – Malicious DLL injects code into explorer.exe using process hollowing to evade detection.
• [T1176] Browser Extensions – Malicious browser extensions are deployed for persistence, including cryptocurrency stealer extensions.
• [T1041] Exfiltration Over C2 Channel – Collected victim information is exfiltrated to command-and-control servers.