May 19, 2023Ravi LakshmananArtificial Intelligence / Cyber ​​Threat

Malicious Google search ads for generative AI services such as OpenAI ChatGPT and Midjourney are used to lure users to sketchy websites as part of the BATLOADER campaign aimed at delivering the RedLine Stealer malware .

“Both AI services are very popular, but lack first-party standalone apps (i.e. users interface with ChatGPT through a web interface, Midjourney uses Discord),” says eSentire. Said in the analysis.

“This void is being exploited by attackers to entice people to create fake web pages promoting fake apps.”

BATLOADER is a loader malware that is propagated by drive-by downloads, where users searching for certain keywords in search engines are presented with fake ads that, when clicked, redirect to a malicious landing page that hosts the malware.

According to eSentire, the installer file includes an executable (ChatGPT.exe or Midjourney.exe) and a PowerShell script (Chat.ps1 or Chat-Ready.ps1) that downloads and loads RedLine Stealer from a remote server. is included.

Once installed, the binaries will use Microsoft Edge. WebView2 To load chat.openai[.]com or www.midjourney[.]com (the canonical ChatGPT and Midjourney URL) in a popup window to avoid red flags.


The attackers used ChatGPT and Midjourney-themed lures to serve malicious ads, ultimately dropping the RedLine Stealer malware, was also highlighted by Trend Micro last week.


This isn’t the first time the operators behind BATLOADER have taken advantage of the AI ​​craze to distribute malware. In March 2023, eSentire detailed a series of similar attacks deployed using ChatGPT lures. Vidal Steeler and Ursniff.

The cybersecurity firm also noted that Google search ad abuse has declined from its peak in early 2023, suggesting the tech giant is taking aggressive steps to curb its abuse.

upcoming webinars

Zero Trust + Deception: Learn How to Outsmart Attackers!

See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!

Reserve your seat!

The findings were published weeks after Securonix not covered A phishing campaign dubbed OCX#HARVESTER targeted the cryptocurrency sector from December 2022 to March 2023. See more_Eggs (aka Golden Chickens) is a JavaScript downloader used to deliver additional payloads.

In January, eSentire tracked the identity of one of the leading malware-as-a-service (MaaS) operators, identifying an individual in Montreal, Canada.Then his second attacker associated with this group was Identified As a Romanian with the alias Jack.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog