EvilAI Campaign Uses AI-Generated Code to Distribute Credential-Stealing Malware Globally
Trend Micro has uncovered EvilAI, an ongoing campaign where attackers use AI-generated code to build trojanized apps that steal credentials and maintain persistent access across critical sectors worldwide.
Trend Micro researchers have exposed a sophisticated malware campaign dubbed EvilAI, in which threat actors leverage AI-generated code to create convincing trojanized applications that steal credentials and establish persistent backdoors. Since monitoring began on August 29, the campaign has already infected systems across Europe, the Americas, and the AMEA region, with the highest impact in manufacturing, government, and healthcare sectors.
The attackers distribute malware disguised as legitimate productivity and AI-enhanced tools, complete with professional-looking interfaces and valid digital signatures. File names such as "App Suite," "Epi Browser," "JustAskJacky," "Manual Finder," "One Start," "PDF Editor," "Recipe Lister," and "Tampered Chef" are designed to appear authentic. These applications are hosted on newly registered websites that mimic vendor portals or tech solution pages, and are promoted through malicious advertisements, SEO manipulation, and social media download links.
Once installed, the malware exfiltrates sensitive browser data and maintains encrypted, real-time communication with its command-and-control servers using AES-encrypted channels. This allows attackers to receive commands and deploy additional payloads. The use of AI-assisted development enables the threat actors to rapidly evolve payloads, bypassing traditional detection mechanisms that rely on static signatures.
Victimology data reveals a global footprint. Europe reported 56 incidents, while the Americas and AMEA each recorded 29. The top affected countries include India (74 cases), the United States (68), France (58), Italy (31), Brazil (26), Germany (23), the United Kingdom (14), Norway (10), Spain (10), and Canada (8). The campaign's indiscriminate targeting spans critical infrastructure sectors: manufacturing (58 cases), government/public services (51), healthcare (48), technology (43), retail (31), education (27), financial services (22), construction (20), non-profit (19), and utilities (9).
The sophistication and adaptability observed suggest a highly capable threat actor. By mimicking real software with convincing utility features, the trojans gain persistent access before raising suspicion. Trend Micro notes that the blurring line between authentic and deceptive software highlights mounting challenges for defenders. The company is tracking this malware family as EvilAI and provides detection and blocking capabilities through Trend Vision One, along with threat hunting queries and intelligence reports for proactive defense.
This campaign underscores a broader trend of adversaries incorporating AI into their toolchains. As AI-generated code becomes more accessible, the barrier to creating convincing, evasive malware lowers. The rapid global spread of EvilAI within a single week of monitoring suggests that similar campaigns may become more frequent, requiring defenders to adopt AI-driven detection and behavioral analysis to keep pace.