Cybersecurity researchers have uncovered a sophisticated malware campaign leveraging a fraudulent AI image generation service to distribute dangerous information-stealing malware. The operation targets both Windows and macOS users through fake websites impersonating “EditProAI,” deploying the notorious Lumma and AMOS infostealers to harvest sensitive user data.
Sophisticated Social Engineering and Distribution Tactics
Threat actors are orchestrating a widespread distribution campaign through search engine optimization (SEO) poisoning and social media manipulation, particularly on X (formerly Twitter). The attackers utilize politically charged deepfake content, including manipulated images of US presidents, to lure victims to malicious domains: editproai[.]pro targeting Windows users and editproai[.]org focusing on macOS systems.
Technical Analysis of the Malware Deployment
The malware is distributed through seemingly legitimate installer packages: Edit-ProAI-Setup-newest_release.exe for Windows and EditProAi_v.4.36.dmg for macOS. A particularly concerning aspect of this campaign is the Windows variant’s use of a stolen digital certificate from Softwareok.com, significantly reducing detection rates by security solutions and increasing the malware’s chances of successful execution.
Comprehensive Data Theft Capabilities
The deployed Lumma and AMOS infostealers exhibit sophisticated data exfiltration capabilities, targeting:
- Stored credentials and authentication tokens
- Cryptocurrency wallet information and private keys
- Financial data including credit card details
- Browser data (cookies, browsing history, saved passwords)
- System information and network configuration
Incident Response and Security Measures
Users who suspect interaction with the fraudulent EditProAI service should immediately implement the following security protocols:
- Initiate emergency password rotation across all accounts using complex, unique combinations
- Enable Multi-Factor Authentication (MFA) on all critical services
- Perform comprehensive malware scanning using updated security solutions
- Review and monitor financial accounts for unauthorized transactions
- Consider professional incident response services if sensitive data exposure is suspected
This campaign represents an emerging threat vector where cybercriminals exploit the growing interest in AI technologies to distribute malware. Organizations and individuals must implement robust security awareness training and maintain strict software installation policies, limiting downloads to verified sources and official application stores. The incident underscores the critical importance of implementing defense-in-depth strategies and maintaining vigilance against sophisticated social engineering tactics in the evolving threat landscape.
