Post

EvilAI malware campaign exploits AI-generated code to breach global critical sectors

Posted
By ictsec.pl
1 min read

Trend Micro reports that EvilAI operators are leveraging AI-generated code and social engineering in a rapidly expanding campaign. The group disguises malware as legitimate applications to bypass security, steal credentials, and maintain persistent access to targeted organizations. Telemetry shows EvilAI infections across the globe, with the highest concentration in Europe, the Americas, and the AMEA region. The campaign has primarily affected organizations in manufacturing, government and public services, and healthcare.

Trend Micro mentioned that the malware employs multiple layers of code obfuscation to hinder analysis and evade detection, primarily through control flow flattening. It encodes all function names and strings using Unicode escape sequences to conceal their true purpose, uses meaningless variable names, and implements self-cleaning techniques that temporarily modify system objects before erasing all traces of activity. These methods turn otherwise simple operations into complex puzzles that are extremely difficult for security tools to analyze statically.

The researchers identified that the malware employs advanced anti-analysis techniques, which significantly hinder static code analysis and increase the difficulty of reverse engineering. It implements anti-analysis loops using MurmurHash3 32-bit hashing to generate unpredictable control flow conditions. Each loop operates by converting its counter to a string, calculating a hash with the counter value, string length, and specific magic constants, and then comparing the result to pre-calculated target values intended to match only on the first iteration. This creates the appearance of potentially infinite loops to static analysis tools, while in reality, each loop executes only once.

Trend Micro identified that EvilAI employs AES-256-CBC encryption to secure JSON payloads sent to its C&C server, including session data such as activity status, progress identifiers, timestamps, and command responses. The encryption key is derived from the malware’s unique instance ID (UUID), and the data is further encoded with base64 before transmission.

To read the complete article see: EvilAI malware campaign exploits AI-generated code to breach global critical sectors

MALWARE
AI MALWARE TREND MICRO CYBERSECURITY
This post is licensed under CC BY 4.0 by the author.