close
close

FIN7 Gang hides malware in ‘Deepnude’ AI sites

Posted on by angelo
FIN7 Gang hides malware in ‘Deepnude’ AI sites

A notoriously financially motivated threat group is luring its victims to a network of malware-trapped sites promising downloads of deepfake tools, according to a new report from Silent Push.

The security vendor claimed that Russia-based FIN7, which has been linked to several ransomware groups, hosts the malicious sites on multiple domains under the aiNude(.)ai “brand”.

They are designed to attract internet users looking to take advantage of deepfake “deepnude” tools to generate nude images from photos of individuals they upload.

FIN7 has created two versions of these so-called “honeypot” sites: one offering free downloads of a “Deepnude Generator” tool and the other offering a free trial.

Clicking on the “free download” offer will redirect the victim to a new domain with a Dropbox link or other source hosting a malicious payload, although the report does not specify exactly what this is.

Learn more about deepfakes: FBI warns of surge in deepfake sextortion attempts

If a victim clicks “free trial,” they will be prompted to download an image.

“If an image is uploaded, the user then receives an “Essay is ready to download” message stating: “Access scientific material for personal use only.” A corresponding pop-up window asks the user to answer the question “The image is uploaded. the link is for personal use only, do you agree? “, explained Silent Push.

“If the user accepts and clicks “Download,” they receive a zip file containing a malicious payload. This other FIN7 payload is a more classic Lumma Stealer and uses a DLL sideloading technique for execution.

The vendor also observed FIN7 deploy Redline Stealer malware and D3F@ck malware-as-a-service loader through this campaign.

The group is believed to use SEO tactics to rank its Deepnude AI sites high in search listings.

Silent Push also revealed a second campaign run by FIN7, designed to covertly distribute NetSupport RAT malware through similar sites that force visitors to install a browser extension. The threat actors lure their victims to sites – which spoof well-known brands such as SAP Concur, Microsoft and Thomson Reuters – via malvertising.