Threat Research

EvilAI Malware Campaign

Securonix
EvilAI Malware Campaign

EvilAI employs AI-generated, heavily obfuscated JavaScript delivered via trojanized applications with valid digital signatures to infiltrate systems across multiple industries and regions, exfiltrate credentials, and maintain persistence. The campaign uses AES-256-CBC encrypted C2 communications and modular command handling to download files, modify the registry, and execute payloads, impacting 114 systems with notable activity in India and the United States. #EvilAI #App Interplace LLC

Keypoints

  • EvilAI delivers AI-generated JavaScript via trojanized productivity apps distributed through malicious websites, SEO manipulation, and social media promotions.
  • Malicious installers often carry valid digital signatures from newly registered entities such as App Interplace LLC and Byte Media Sdn Bhd to appear legitimate.
  • The payloads are Node.js-executed JavaScript files dropped into temporary directories with names like “[GUID]or.js” and achieve persistence via scheduled tasks and Run registry keys (daily at 10:51 AM and every four hours).
  • Obfuscation techniques include control flow flattening, Unicode escape sequences, MurmurHash3-based anti-analysis loops, and meaningless identifiers to impede static and manual analysis.
  • EvilAI uses WMI to enumerate and terminate browser processes (Edge, Chrome) to steal browser data by copying “Web Data” and “Preferences” files from profiles.
  • Network communications use AES-256-CBC encryption keyed by the malware instance ID; the C2 supports a JSON-based continuous command loop for modular actions (file download, registry edits, process execution, script handling).
  • The campaign has affected 114 systems globally, with manufacturing, government, and healthcare among the most targeted sectors; India and the US report the highest infection counts.

MITRE Techniques

  • [T1204] User Execution – Trojans masquerading as productivity tools are distributed via malicious websites, SEO manipulation, and social media promotions to trick users into installing the malicious apps (“trojans masquerading as productivity tools”).
  • [T1547] Boot or Logon Autostart Execution – Persistence is achieved through scheduled tasks and registry Run key entries to ensure regular execution (“establishes persistence through scheduled tasks and registry Run key entries, ensuring daily execution at 10:51 AM and every four hours thereafter”).
  • [T1059.007] Command and Scripting Interpreter: JavaScript – The malware executes AI-generated JavaScript in Node.js environments as the primary payload execution method (“AI-generated JavaScript code executed via Node.js”).
  • [T1140] Deobfuscate/Decode Files or Information – Heavy obfuscation (control flow flattening, Unicode escape sequences, MurmurHash3 anti-analysis loops, meaningless variable names) is used to hinder analysis (“control flow flattening, Unicode escape sequences, and MurmurHash3-based anti-analysis loops that execute only once but appear infinite to static analysis tools”).
  • [T1046] Network Service Discovery – The malware maintains encrypted C2 communications and processes JSON commands over a continuous command loop to discover and interact with remote services (“C2 infrastructure supports a continuous command loop, processing JSON payloads for file downloads, registry modifications, process execution, and script handling”).
  • [T1036.005] Masquerading: Masquerade Task or Service – Malicious applications mimic legitimate software and use valid digital signatures from entities like App Interplace LLC and Byte Media Sdn Bhd to appear authentic (“carry valid digital signatures from newly registered entities like App Interplace LLC and Byte Media Sdn Bhd, lending an air of legitimacy”).
  • [T1005] Data from Local System – The malware copies browser data files such as “Web Data” and “Preferences” from browser profiles to facilitate credential theft (“duplicating “Web Data” and “Preferences” files from browser profiles”).
  • [T1112] Modify Registry – The malware modifies the Windows registry (Run keys) to maintain persistence (“establishes persistence through … registry Run key entries”).
  • [T1105] Ingress Tool Transfer – The modular command handling allows downloading additional files and staging secondary payloads for further actions (“C2 supports commands for file downloads … acting as a stager, potentially deploying secondary infostealer payloads”).
  • [T1573] Encrypted Channel – Communications with C2 are encrypted using AES-256-CBC with the instance ID as key to conceal traffic (“Network communications are secured with AES-256-CBC encryption, using the malware’s unique instance ID as a cryptographic key”).

Indicators of Compromise

  • [File Hash] Polyswarm-hosted EvilAI samples – ad0655b17bbdbd8a7430485a10681452be94f5e6c9c26b8f92e4fcba291c225a, 9f369e63b773c06588331846dd247e48c4030183df191bc53d341fcc3be68851 (and 1 more hash).
  • [File Name] Dropped payload naming pattern – temporary directory JavaScript files like “[GUID]or.js” used for execution and persistence.
  • [Organization] Signed installers – valid digital signatures from newly registered entities such as App Interplace LLC and Byte Media Sdn Bhd observed on trojanized installers.
  • [Registry/Schedule] Persistence artifacts – scheduled tasks (daily at 10:51 AM and every four hours) and Run registry key entries used to ensure execution.
  • [Browser Artifacts] Credential theft targets – copies of browser files “Web Data” and “Preferences” from Edge and Chrome profiles indicate data exfiltration of stored credentials and settings.

Read more: https://blog.polyswarm.io/evilai

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint