بدافزار EvilAI با ماسک ابزارهای هوش مصنوعی به سازمان‌ها نفوذ می‌کند مهاجمان سایبری از ابزارهای هوش مصنوعی و نرم‌افزارهای ظاهراً مشروع برای توزیع مخفیانه بدافزار علیه سازمان‌های جهانی استفاده می‌کنند. بر اساس گزارش ترند میکرو، این کمپین تحت عنوان EvilAI شناخته می‌شود و از ابزارهای بهره‌وری یا تقویت‌شده با هوش مصنوعی برای هدف قرار دادن مناطق مختلف از جمله اروپا، آمریکا و منطقه آسیا، خاورمیانه و آفریقا استفاده می‌کند. بخش‌های تولید، دولتی، بهداشت و درمان، فناوری و خرده‌فروشی از جمله حوزه‌های بیشترین آسیب‌دیده هستند، در حالی که هند، آمریکا، فرانسه، ایتالیا، برزیل، آلمان، انگلستان، نروژ، اسپانیا و کانادا بیشترین میزان آلودگی را نشان می‌دهند. محققان امنیتی این کمپین را "بسیار قابل" توصیف کرده‌اند زیرا مهاجمان توانایی محو کردن مرز بین نرم‌افزارهای اصیل و فریبنده را دارند و ویژگی‌های مخرب خود را در برنامه‌های کاربردی عملکردی پنهان می‌کنند. برخی از برنامه‌های توزیع‌شده شامل AppSuite، Epi Browser، JustAskJacky، Manual Finder، OneStart، PDF Editor، Recipe Lister و Tampered Chef هستند. هدف نهایی این کمپین انجام شناسایی گسترده، سرقت داده‌های حساس مرورگر و برقراری ارتباط رمزگذاری‌شده و بلادرنگ با سرورهای فرمان و کنترل (C2) از طریق کانال‌های رمزگذاری‌شده AES است. این بدافزار از روش‌های مختلف انتشار از جمله وب‌سایت‌های تازه ثبت‌شده که پورتال‌های فروشنده را تقلید می‌کنند، تبلیغات مخرب، دستکاری سئو و لینک‌های دانلود ترویجی در انجمن‌ها و شبکه‌های اجتماعی استفاده می‌کند.

While everyone was discussing the NPM supply chain attack, what else happened? - @_CPResearch_ did some article on some nerd named PureCoder (???) who was doing some ClickFix malware campaign with fake job offers. They did some kind of campaign, compromised some place for a few days, or something. They found the builder and cryptor and some other stuff. New malware guy on the block doing malware and stuff - @Securelist did an article on RevengeHotel. They target hotels, and steal credit cards, etc. They're back again and using AI for phishing and malicious scripts. Claude and/or ChatGPT is helping Threat Actors I guess - PointWild (who doesn't have Xitter?) discovered a new Information Stealer named Raven. It's written in C and Delphi. - @proofpoint did some news on TA415 (China?) targeting the United States think tanks and universities. They're using Visual Studio dev tunnels, Google Calenders, and Google Sheets as a C2 - @Acronis discussed a new malware campaign that uses ClickFix and steganography together to be extra cool and badass. This malware campaign is in multiple languages or whatever. It just delivers an infostealer - @sekoia_io did a thing on APT28 (Russia?) and some new campaign Russia hacking thingy named "Phantom Net Voxel". They uncovered it when they looked at some stuff from the Ukraine government. It does a bunch of stuff and lands on BeardShell and SlimyAgent. - @GDATA released another paper on ManualFinder. They found some more malware campaigns, and deception, and blah blah blah. It's called AppSuite and OneStart That's all in just 1 day. Smh yall gotta LOCK IN (its like this everyday, everyday is an inescapable nightmare)

My colleague Banu wrote about the connection between AppSuite, OneStart and ManualFinder gdatasoftware.com/blog/2025/…

Excellent research by @SquiblydooBlog on the connection between AppSuite backdoor, OneStart and similar applications expel.com/blog/the-history-o… #OneStart #AppSuite

The iid was often not provided until weeks after infection. By now the C2 is down and nothing happens anymore. But OneStart is still up and running. It has code overlap with AppSuite.

Anyone who knows me will have heard my sermon on OneStart/OneLaunch/Wave at some point. Very vindicating to see an excellent analysis that firmly places it over the PUP or Malware line. Read more here: gdatasoftware.com/blog/2025/…

Finally! Awesome discovery. Think you had a lot on your hands with AppSuite? Let me know how many systems you find with OneStart. You may be surprised. OneStart has been active for months, if not close to a year I think. I've only ever seen it flagged as a PUP.

Currently discovered these where the web pages are similar and directing to the same OneStart installer Added to abuse.ch

Analysis is based on this OneStart sample: 9cd3a9c1713de832e1273f71c4b48b41b62bb454ece02f8ee53b813c34022661 From this article: todyl.com/blog/onestart-ai-b…

I confirmed the connection between #OneStart and #AppSuite. They use the very same iid schema, encryption algorithms and magic bytes for key derivation. In the image you see k3, which are magic bytes you will find in our AppSuite article too.

There is some stuff on OneStart incoming. I'm collaborating with some trying to put a lot of documentation together. The OneStart dev and the PDF Editors dev are ones I have years of visibility on. They end up being related, but more to come on that soon.

I checked OneStart and so far it looks different. Did not analyze enough yet for a verdict, though. Definitely needs its own analysis.

To be clear: I do not know if OneStart and AppSuites are connected in any way and whether OneStart is maliciuos. Everything I wrote is about AppSuites PDF Editor.

about #Onestarts domains... maybe could be helpfull VT graphs - red marked & these are exactly designed to capture the context of onestart[ .]ai : virustotal.com/graph/embed/g… ; virustotal.com/graph/embed/g… ; virustotal.com/graph/embed/g… ; virustotal.com/graph/embed/g…

A new song for I’Lani Edwards, he’s only had one start but we think he deserves it! *Hopefully we’re not getting ahead of ourselves here… #onestart #heonlyneedsonestart #COYW @HerefordFC @ilaniedwards

I still to need to validate my findings but these domains all look to be related to OneStarts junky applications pastebin.com/kLXYeNZg #OneStart #TamperdChef

Reddit thread related to the ongoing manualfinder/onestart stuff.

More discussion around AppSuite-PDF, OneStart, PDF Editor, and ManualFinder's ads, websites, and code-signing certificates. Also glad to see a mention for @struppigel 's write up on JustAskJacky and other apps. Seems like there is still a lot to publish about all of this.

Here's one: x.com/struppigel/status/1958… OneStart is mentioned in one of the subconvo in the threat. I can look it up later. On the phone now so a bit complex 😂

Any direct references or links to the Wave/OneStart IOCs or direct correlation? I dug through the thread but not finding the breadcrumbs.