TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks

Marco Dela Vega · 2025-09-11 · Read original ↗

ATT&CK techniques detected

20 predictions
T1012Query Registry
100%
“for browsers, the attacker performed a series of registry queries to enumerate installed software, the majority of which were security and av products ( figure 9 ). during this process, the attacker also attempted to discover uninstall strings or configuration settings present in…”
T1547.001Registry Run Keys / Startup Folder
99%
“\ " c : \ windows \ system32 \ cmd. exe \ " / c start \ " \ " / min \ " % ^ localappdata ^ % \ programs \ nodejs \ node. exe \ " \ " % ^ localappdata ^ % \ temp \ { uid } or. js \ " " / sc daily / st 10 : 51 / ri 240 / du 24 : 00 / f " an associated scheduled task file was also i…”
T1053.005Scheduled Task
99%
“guid suffix and end in two characters – commonly “ or ”, “ ro ”, or “ of ” – a pattern consistently observed both in our internal investigations and in samples identified from public repositories. while the legitimate application window operates in the foreground, this covert pro…”
T1588.003Code Signing Certificates
91%
“" supplies documentation search features. this direct alignment between name and function helps dispel user suspicion and encourages engagement. to enhance credibility, attackers often abuse digital signatures and trusted certificates ( figure 1 ). some groups go so far as to obt…”
T1573.001Symmetric Cryptography
91%
“##ence against network failures, allowing reliable communication with the c & c infrastructure. data encryption / decryption function evilai employs aes - 256 - cbc encryption to secure json payloads sent to its c & c server, including session data such as activity status, progre…”
T1027Obfuscated Files or Information
81%
“hash ( using the counter value, string length, and specific magic constants ), and then comparing the result to pre - calculated target values intended to match only on the first iteration. - this technique creates the appearance of potentially infinite loops to static analysis t…”
T1027Obfuscated Files or Information
80%
“\ { user name } \ appdata \ local \ google \ chrome \ user data \ default \ web data sync - c : \ users \ { user name } \ appdata \ local \ google \ chrome \ user data \ default \ preferences sync malicious javascript file analysis obfuscation techniques the malware employs multi…”
T1518.001Security Software Discovery
69%
“\ < user _ sid > \ software \ microsoft \ windows \ currentversion \ run \ pdfeditorupdater use of wmi for process enumeration the attacker utilized windows management instrumentation ( wmi ) to determine if microsoft edge or google chrome was running on the system. by leveraging…”
T1047Windows Management Instrumentation
68%
“\ < user _ sid > \ software \ microsoft \ windows \ currentversion \ run \ pdfeditorupdater use of wmi for process enumeration the attacker utilized windows management instrumentation ( wmi ) to determine if microsoft edge or google chrome was running on the system. by leveraging…”
T1204.002Malicious File
67%
“) defenses. infection flow trend ’ s internal telemetry has uncovered an attack chain where seemingly legitimate applications – often advertised and distributed through newly registered or imitation websites – are used as decoys to deliver malicious payloads ( figure 2 ). when us…”
T1059Command and Scripting Interpreter
65%
“sz ), and data content, forcibly overwriting existing values and returning numeric status codes to indicate success or failure ( figure 23 ). conversely, the deletion routine constructs paths and executes reg delete via spawnsync with the / f force flag, removing specified values…”
T1012Query Registry
53%
“cmd. exe / d / s / c " reg query " hklm \ software \ wow6432node \ microsoft \ windows \ currentversion \ uninstall \ g data antivirus " / v " uninstallstring " " c : \ windows \ system32 \ cmd. exe / d / s / c " reg query " hkcu \ software \ zillya \ zillya antivirus " " c : \ w…”
T1112Modify Registry
49%
“cmd. exe / d / s / c " reg query " hklm \ software \ wow6432node \ microsoft \ windows \ currentversion \ uninstall \ g data antivirus " / v " uninstallstring " " c : \ windows \ system32 \ cmd. exe / d / s / c " reg query " hkcu \ software \ zillya \ zillya antivirus " " c : \ w…”
T1562.001
44%
“cmd. exe / d / s / c " reg query " hklm \ software \ wow6432node \ microsoft \ windows \ currentversion \ uninstall \ g data antivirus " / v " uninstallstring " " c : \ windows \ system32 \ cmd. exe / d / s / c " reg query " hkcu \ software \ zillya \ zillya antivirus " " c : \ w…”
T1204.002Malicious File
44%
“##i browser - justaskjacky - manual finder - one start - pdf editor - recipe lister - tampered chef widespread malware distribution these malicious applications have been widely distributed online, often circulating for months before being identified as threats, enabling broad pe…”
T1071Application Layer Protocol
42%
“_ config section that contains all the essential parameters required to establish and maintain communication with its c & c infrastructure ( figure 12 ). - domain - specifies the c & c server endpoint used for sending and receiving information - iid - acts as a unique instance id…”
T1105Ingress Tool Transfer
40%
“). the malware uses a high - level command processor that manages multiple downloads from c & c server commands ( figure 21 ). it processes arrays of download command objects, validates each command ’ s structure for required path and data fields, expands windows environment vari…”
T1012Query Registry
37%
“\ < user _ sid > \ software \ microsoft \ windows \ currentversion \ run \ pdfeditorupdater use of wmi for process enumeration the attacker utilized windows management instrumentation ( wmi ) to determine if microsoft edge or google chrome was running on the system. by leveraging…”
T1059.007JavaScript
35%
“) defenses. infection flow trend ’ s internal telemetry has uncovered an attack chain where seemingly legitimate applications – often advertised and distributed through newly registered or imitation websites – are used as decoys to deliver malicious payloads ( figure 2 ). when us…”
T1059.006Python
30%
“, providing full remote command execution capabilities under the control of the c & c server. evilai uses a file writing operations processor that manages arrays of file write commands received from the c & c server ( figure 26 ). each command is validated to ensure it contains a…”

Summary

Combining AI-generated code and social engineering, EvilAI operators are executing a rapidly expanding campaign, disguising their malware as legitimate applications to bypass security, steal credentials, and persistently compromise organizations worldwide.