Leveraging AI to Steal Browser Data and Evade Detection

EvilAI, a new malware family tracked by Trend™ Research, has emerged in recent weeks disguised as legitimate AI-driven utilities.

These trojans sport professional user interfaces, valid code signatures, and functional features, allowing them to slip past both corporate and personal defenses undetected.

Leveraging lightweight installers and AI-generated code, EvilAI rapidly establishes persistent footholds while masquerading as productivity or AI-assist applications.

Trend™ Research began tracking EvilAI on August 29 and documented a global wave of infections within just one week. Europe leads with 56 reported incidents, followed by 29 each in the Americas and AMEA regions (Table 1).

Top affected countries include India (74), the United States (68), and France (58). This broad footprint underscores EvilAI’s indiscriminate targeting and sophisticated distribution tactics, suggesting a well-resourced threat actor behind the campaign.

Table 1. Top Regions by EvilAI Detections

Table 2. Top Countries by EvilAI Detections

Table 3. Top Industries by EvilAI Detections

Trojan Masquerade and Persistence

EvilAI installers adopt generic yet plausible names—such as App Suite, PDF Editor, and JustAskJacky—avoiding direct imitation of known brands to reduce suspicion.

Distribution occurs via newly registered spoof domains, malicious advertisements, and manipulated forum links.

Once launched, the applications deliver genuine functionality—document handling, recipe management, or AI chat—while silently deploying a Node.js–based payload.

The installer drops an obfuscated JavaScript file (with a GUID-based name suffix) into the Temp directory and launches it via a minimized node.exe process.

Persistence is achieved through multiple mechanisms: a scheduled Windows task disguised as a system component, a shortcut in the Start Menu, and a Run-key registry entry.

The scheduled task, named sys_component_health_{UID}, executes the malware every four hours, while the Run key ensures execution on logon. This multi-pronged approach guarantees EvilAI’s survival across reboots and user sessions.

EvilAI’s codebase is generated with large language models, producing clean, modular JavaScript that evades static signature scanners.

Complex obfuscation—control flow flattening with MurmurHash3 loops and Unicode-encoded strings—thwarts analysis.

The malware establishes persistence by creating a scheduled task named sys_component_health_{UID}, disguised to look like a legitimate Windows process.

The malware further leverages WMI and registry queries to detect running Chrome and Edge processes, then forcefully terminates them to free handles for credential theft.

Sensitive browser data files—Web Data and Preferences—are duplicated with “Sync” suffixes in their original profile paths. These copies are later exfiltrated via encrypted HTTPS POSTs to the command-and-control (C&C) server.

C&C communication uses AES-256-CBC encryption with a session key derived from a unique instance ID. The malware continuously polls the server for commands, enabling dynamic payload delivery, registry modifications, and remote process execution.

Defending Against EvilAI

Defenders must combine rigorous cyber hygiene with advanced, AI-aware protections. Only trusted sources should be used for software installs, and code-signing certificates warrant scrutiny—even those from newly established entities.

Behavioral analytics and real-time monitoring can catch anomalous Node.js launches, unexpected scheduled tasks, and suspicious registry writes.

User training should emphasize that polished interfaces and valid signatures do not guarantee safety.

Finally, layered defenses—endpoint detection and response, network traffic analysis, and anomaly detection—are essential to counter threats that evolve through AI-driven innovation.

As AI becomes weaponized, malware families like EvilAI will blur the line between legitimate and malicious software.

Organizations that embrace adaptive, intelligence-driven security postures will be best positioned to detect and disrupt these sophisticated campaigns before data exfiltration and persistent breaches can occur.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!