In a troubling trend within the cybersecurity landscape, threat actors have recently capitalized on the popularity of artificial intelligence, deploying fake AI video and image generators that infect both Windows and macOS systems with information-stealing malware. The malware, known as Lumma Stealer for Windows and AMOS for macOS, relentlessly targets sensitive user information, including login credentials and cryptocurrency wallets, creating additional risks for individuals and organizations alike.
Cybersecurity researcher g0njxa has uncovered that these fraudulent sites impersonate an AI video and image editing tool branded as EditPro. Over the past month, cybercriminals have developed these deceptive websites, cleverly promoted through search results and advertisements on social media platforms, including X. These campaigns have included enticing content featuring deepfake political videos, showcasing fabricated scenarios such as President Biden and Trump sharing ice cream, luring users into clicking for more information.
Upon clicking these eye-catching images, users are redirected to fake web portals for an application purportedly called EditProAI. Notable URLs include editproai[.]pro for Windows malware and editproai[.]org for macOS variants, both appearing professional and credible. In a clever design choice that mimics legitimate websites, these platforms feature the ubiquitous cookie consent banner, adding an air of authenticity to their façade.
However, the malicious intent becomes evident when the unsuspecting users click the “Get Now” buttons, which trigger the download of executable files masquerading as the legitimate EditProAI application. For Windows users, the downloaded file is labeled “Edit-ProAI-Setup-newest_release.exe” while macOS users are led to download “EditProAi_v.4.36.dmg”. Alarmingly, the Windows variant is signed with what appears to be a stolen code signing certificate from Softwareok.com, a known freeware utility developer, misusing trusted credentials to further deceive users.
Once deployed, the Lumma Stealer malware operates through a dedicated control panel, proai[.]club/panelgood/, for exfiltrating the stolen data back to its creators, making the threat even more severe. Recent reports from AnyRun indicate that the Windows variant executed as expected, demonstrating the potential risk it poses for victims.
In light of these developments, experts strongly advise individuals who may have downloaded the suspected applications to consider their saved passwords, cryptocurrency wallets, and authentication credentials compromised. Immediate action is recommended: users should reset their passwords on every account, utilizing unique passwords for each service. Furthermore, enabling multi-factor authentication on critical accounts, such as those associated with online banking, email services, and cryptocurrency exchanges, adds an additional layer of safeguard against potential unauthorized access.
The rise of information-stealing malware like Lumma Stealer and AMOS paints a concerning picture of the current cybersecurity environment. The growing prevalence of such digital attacks underscores the extensive measures threat actors are willing to employ, launching sweeping global operations to extract credentials and authentication tokens from unwitting users. Recent trends have seen other malware campaigns employing tactics such as targeting zero-day vulnerabilities, crafting fake fixes for GitHub issues, and even offering deceptive responses on platforms like StackOverflow.
As stolen credentials continue to fuel breaches in corporate networks and data theft incidents—evidenced by recent significant breaches like the SnowFlake incident—the ramifications of such malware deployments reach far beyond individual users. The chaotic consequences of corrupted network routing information and unauthorized data manipulation further highlight the urgency for heightened cybersecurity awareness.
As individuals increasingly rely on digital services, ensuring robust cybersecurity measures is more critical than ever. Remaining vigilant against potential threats and adopting comprehensive protective strategies can aid in maneuvering through this challenging realm fraught with deception and vulnerability.