EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks (www.trendmicro.com)

Security researchers at Trend Micro have uncovered "EvilAI," a global malware campaign that uses AI-generated code and professionally crafted fake apps (e.g., JustAskJacky, PDF Editor, Recipe Lister) to bypass detection and maintain persistent access. The trojans present working UIs, abuse code-signing certificates from newly registered entities, and are distributed via imitation websites, malvertising and SEO manipulation. Telemetry from a short monitoring window shows rapid spread across regions—high counts in India (74), the US (68) and Europe (56)—and disproportionate impact on manufacturing, government and healthcare. The payload exfiltrates browser data and maintains AES-encrypted, real-time C2 channels to receive commands and deploy follow-ons. Technically, EvilAI bundles malicious JavaScript executed by a silently launched Node.js process (cmd.exe /c start…node.exe …[GUID]of.js), with payload files named by GUIDs ending in “or/ro/of.” Persistence is achieved via scheduled tasks (sys_component_health_{UID}), Start Menu shortcuts, and Run-key entries (PDFEditorUpdater). Operators use WMI/PowerShell to enumerate browser processes, and AI/LLMs were leveraged to write clean, scanner-evasive code that blends legitimate functionality with covert behavior. For defenders and the AI/ML community this signals a turning point: generative models accelerate high-fidelity malware creation, raising the urgency for behavioral and runtime detection, stricter code-signing provenance, supply-chain vetting, and threat-hunting intelligence (Trend Vision One provides IOCs and hunting queries) to counter model-assisted adversaries.