According to recent security research, cybercriminals are taking advantage of the growing demand for artificial intelligence solutions by disguising ransomware within legitimate AI business tools.
This new threat specifically targets small businesses and entrepreneurs looking to integrate AI capabilities into their businesses, creating a dangerous intersection between innovation adoption and cyber threats.
The sophisticated campaign discovered by security researchers includes malware hidden behind software packages that mimic popular services such as ChatGPT, NOVA leads, and Invideo AI.
.png
)
These attacks pose a dual threat by not only damaging sensitive business data and financial assets, but also by impairing confidence in legitimate AI market solutions and potentially slowing down business adoption of beneficial technologies.
MalwareBytes analysts identified several different attack patterns within these campaigns and revealed the calculated nature of these operations.
Threat actors use search engine optimization addiction technology to demonstrate a specific level of sophistication in their approach, so that malicious websites are ranked prominently in relevant search results and are more likely to deceive unsuspecting victims.
In one notable case, cybercriminals created a counterfeit website that was very similar to Nova Leads, a legitimate lead monetization service, offering fake “Nova Lead AI” products with 12 months of free access.
When users downloaded the software, the cyberlock ransomware was deployed instead, demanding $50,000 in cryptocurrency, whilst falsely claiming that payments would support humanitarian causes in Palestine, Ukraine and other regions.
Similarly, the attacker distributed Lucky_Gh0 $TRANSOMWARE via a file labeled “CHATGPT 4.0 Full Version – Premium.exe.”
Infection mechanism analysis
The technical implementation of these attacks reveals sophisticated social engineering combined with advanced evasion techniques.
The fake ChatGPT installer specifically illustrates this complexity by incorporating real Microsoft AI tools into malicious packages and creating hybrid executables that can bypass traditional antivirus detection methods.
This approach allows ransomware to appear legitimate during the initial security scan and to establish persistence while highlighting the evolving refinement of modern ransomware distribution mechanisms.
Speed up and enrich your threat investigation with Threat Intelligence search! -> 50 Trial Search Requests
