Threat Research

FIN7 Operates Honeypot Domains Featuring Malicious AI DeepNude Generators – Insights from New Silent Push Research

Securonix

Silent Push research shows the FIN7 group is deploying AI-themed “DeepNude” websites and browser-extension honeypots to deliver NetSupport RAT and several information stealers. These campaigns use malvertising, SEO tactics, complex packers/launchers, and covert C2 discovery methods to evade detection and target corporate environments. #FIN7 #NetSupportRAT

Keypoints

  • FIN7 is operating at least seven AI “DeepNude” honeypot sites and additional browser-extension honeypots to distribute malicious payloads.
  • NetSupport RAT is delivered via .MSIX browser-extension lures and targets domain-joined/workgroup machines for privilege escalation and lateral movement.
  • Information stealers and loaders observed include Redline Stealer, D3Fck Loader, and Lumma Stealer (DLL side-loading), used to harvest credentials and cookies.
  • Two distinct user flows are used on DeepNude sites: a simple “Free Download” redirect to hosted payloads (e.g., Dropbox) and a “Free Trial” flow that prompts uploads then serves a ZIP with a malicious installer.
  • Malware uses complex packing and launch chains: Inno Setup with embedded Pascal scripts and custom string encoding, Java/Launch4j-wrapped executables, multi-layered archives (encrypted 7z), and virtual environment checks.
  • Researchers extracted encoded strings via Python and mapped C2 infrastructure using Steam-profile strings and Hetzner-hosted IPs; Silent Push provides IOFA feeds to block FIN7 infrastructure.

MITRE Techniques

  • [T1003] Credential Dumping – Use of infostealers to acquire credentials from compromised systems. (‘Use of infostealers to acquire credentials from compromised systems.’)
  • [T1219] Remote Access Tools – Deployment of NetSupport RAT to gain remote access to victim machines. (‘Deployment of NetSupport RAT to gain remote access to victim machines.’)
  • [T1203] Malicious File Execution – Users tricked into downloading and executing malicious payloads from honeypot sites. (‘Users tricked into downloading and executing malicious payloads from honeypot sites.’)
  • [T1566] Phishing – Use of spear-phishing emails and malicious links to lure victims. (‘Use of spear-phishing emails and malicious links to lure victims.’)
  • [T1189] Drive-by Compromise – Users visiting compromised websites unknowingly download malware. (‘Users visiting compromised websites unknowingly download malware.’)

Indicators of Compromise

  • [IP address] C2 / hosting – 85.209.134[.]137 (live SAP Concur phishing page), 166.88.159[.]37 (NetSupport RAT C2), and other Hetzner-hosted IPs like 78.47.105[.]28.
  • [Domain] malicious/honeypot sites – ai-nude[.]ai, easynude[.]website, ai-nude[.]pro, and 4 more related honeypot domains.
  • [File hash] malware samples – MD5 ff25441b7631d64afefdb818cfcceec7 (LexisNexis.msix sample), SHA256 7e5d91f73e89a997a7caa6b111bbd0f9788aa707ebf6b7cbe2ad2c01dffdc15d (Redline sample).
  • [File name / path] payloads & archives – LexisNexis.msix (.MSIX installer), 225.zip -> 225.exe (Launch4j-wrapped JVM EXE), and encrypted 7z archives (password: 1234567890).

FIN7’s technical delivery uses two primary web-based lures: .MSIX browser-extension installs promoted through malvertising and AI “DeepNude” generator pages with two user flows. The “Requires Browser Extension” ploy serves .MSIX packages (example: LexisNexis.msix, MD5 ff25441b7631d64afefdb818cfcceec7) that install NetSupport RAT; these packages carry a counterfeit publisher certificate to appear legitimate and include logic to detect domain-joined vs. workgroup machines. DeepNude honeypots either redirect “Free Download” clicks to hosted payloads (trial-uploader[.]store / Dropbox links) or implement a “Free Trial” upload flow that returns a ZIP containing a malicious installer.

Execution chains are multi-stage and obfuscated: initial installers use Inno Setup with embedded Pascal scripts and custom-encoded strings, perform virtual environment checks, and contact remote hosts. Payloads observed include encrypted 7-Zip archives (password 1234567890) that extract a NetSupport executable for workgroup targets, a 225.zip bundle containing a JVM and a Launch4j-wrapped EXE (first detected as D3Fck Loader), and secondary binaries like Redline Stealer (SHA256 7e5d91f7…) and Lumma Stealer that execute via DLL side-loading. Analysts decoded Inno Setup strings with Python to reconstruct execution flow and locate downstream artifacts and download URLs (e.g., 78.47.101[.]48/manual/225/225.zip).

For C2 discovery and tracking, researchers found the installers embed markers (e.g., a placeholder substring v_10 := ‘i1il’) that map to Steam profiles which, in turn, reveal Hetzner-hosted IPs used as C2s (examples: 78.47.105[.]28, 159.69.26[.]61, 166.88.159[.]37). Key technical mitigations include blocking identified IPs/domains at the network edge, scanning for the noted file hashes and filenames, and ingesting curated IOFA feeds to prevent access to known FIN7 infrastructure.

Read more: https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint