A new and sophisticated malware campaign has emerged that uses artificial intelligence to create deceptively legitimate applications. The EvilAI malware family represents a new kind of threat that combines AI-generated code with traditional trojan techniques to infiltrate systems while maintaining an unprecedented level of stealth.
The malware operates by disguising itself as legitimate productivity tools such as “Recipe Lister,” “Manual Finder,” and “PDF Editor.” These applications provide genuine functionality to users while they silently execute malicious code in the background. This dual-purpose approach significantly reduces user suspicion and allows the malware to establish itself on a system before it can be detected.
Global data reveals the campaign’s extensive reach, with infections spanning multiple continents and affecting critical sectors including manufacturing, government services, and healthcare. Europe has reported the highest concentration of cases, followed by the Americas and AMEA regions. The rapid spread of the campaign within just one week of monitoring indicates a rapidly expanding threat.
Security researchers have found that EvilAI employs sophisticated social engineering tactics combined with AI-generated code that appears clean to static analysis tools. The threat actors create entirely new applications rather than mimicking existing software brands, which makes detection much more challenging for traditional security solutions.
The malware's infection chain begins when a user launches one of these fake applications, triggering a hidden Node.js execution process. To ensure it can't be easily removed, EvilAI uses multiple methods to establish persistence. It creates scheduled tasks that look like legitimate Windows processes and establishes registry entries to ensure it runs every time a user logs on.
The malware also uses advanced techniques to avoid detection. Its AI-generated code is designed to look legitimate to automated tools. Furthermore, it employs anti-analysis loops that trick static analysis tools into thinking the code is stuck in an infinite loop, effectively forcing security analysts to rely on dynamic analysis, which is a slower and more difficult process.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
