FIN7 Hackers use fake AI nude generators to spread malware

Hackers take up new tactics that work

A well-known hacking group called FIN7 is using fake websites that pretend to offer AI-generated nude images. Instead of providing these images, the sites install malware on visitors' computers. This new method targets people interested in deepfake technology, putting both individuals and organizations at risk.

FIN7 is a Russian hacking group active since at least 2013.^[1] They are known for financial crimes and have links to ransomware groups like DarkSide and BlackCat. Their latest tactic involves setting up fake websites that claim to generate nude images using artificial intelligence.

According to Silent Push security researchers,^[2] These sites are designed to look legitimate and often appear high in search results due to aggressive promotion techniques. They attract users who are curious about deepfake technology, even though such technology can be controversial and harmful.

By exploiting current trends and interests, FIN7 shows its ability to adapt and find new ways to distribute malware. Their approach uses social engineering to trick users into downloading malicious software.

How the fake AI nude sites work

The fraudulent websites (some examples include nude-ai[.]pro and iNude[.]ai), invite users to upload photos to create nude images with supposed AI technology. After the user uploads a photo, the site claims the image is ready but asks the user to download it, often through a free trial or personal use agreement.

When users click to download, they are redirected to another site or given a link to a file hosting service like Dropbox. The downloaded file is usually a password-protected archive, which might seem more secure to the user.

However, instead of containing the promised image, the archive holds malware. When the user extracts and runs the file, they unknowingly install malicious software on their computer. This method takes advantage of the user's trust and desire for the content.

Malware deployed through the scam

The malware delivered by these sites includes information-stealing programs like Lumma Stealer^[3] and Redline Stealer. These malicious tools can collect sensitive data from the infected computer, such as saved passwords, browser cookies, and cryptocurrency wallet information.

In some other cases, it uses additional malware to download other malware or to give the attackers remote access to the system, such as D3F@ck Loader. Yet another tool that has been used by the attackers is NetSupport RAT-a remote access trojan that enables the attacker with the capability to perform a few actions on the target computer.

The stolen information may be used for cases of identity theft, accessing accounts without proper authorization, or even selling on the dark web. This may result in huge losses and breaches of privacy among the victims.

FIN7's broader threat and other campaigns

FIN7's use of fake AI nude generators is part of a larger pattern of sophisticated cyberattacks. The group has previously engaged in elaborate schemes, such as creating fake companies to recruit unsuspecting developers for their criminal activities.^[4]

They have also distributed malware through fake browser extensions and websites that mimic well-known brands and services. These campaigns often use malvertising and black hat SEO to lure victims to their malicious sites.

These files are malicious in nature, and if employees are tricked into downloading such files, organizations will be at risk-one that may lead to a compromise in corporate networks and ransomware attacks. FIN7 takes advantage of the interest in AI-generated deepfake images to point out the caution in downloading software or giving out personal information online.

People should be skeptical of sites that seem too good to be true, especially if they require downloading a file from an unverified source. Keeping information close and implementing safe online behavior is one very important step in safeguarding against this type of cyber threat.