Hackers Use Fake AI ‘Nudify’ Sites To Spread Malware

A report from 404 Media published today has revealed that a network of AI-based “nudify” websites, which claim to undress photos using artificial intelligence, is actually being operated by the notorious Russian cybercrime group Fin7.

These websites are fronts for distributing malware, particularly targeting users’ login credentials and cryptocurrency wallets.

According to researchers from cybersecurity firm Silent Push, Fin7’s sites are designed to look like other popular AI-generated nonconsensual content sites.

However, instead of producing altered images, they infect users’ systems with RedLine, a type of malware known for stealing sensitive information from web browsers, as noted by 404 Media.

RedLine is currently among the most prevalent forms of infostealer malware, according to cybersecurity firm RecordedFuture, as reported by 404 Media.

The findings underline the increasing attractiveness of AI-generated deepfake tools, which are now being exploited by hackers to trap victims.

Fin7, which has been linked to major cyberattacks across the U.S., is using these sites as a new method of distributing malware.

Zach Edwards, a senior threat analyst at Silent Push, said to 404 Media that these platforms attract a specific demographic.

“They are looking for people who are doing borderline shady things to start with, and then having malware ready to serve to those people who are proactively hunting for something shady,” Edwards explained about Fin7’s strategy.

This approach is effective, he added, because victims are unlikely to report the hacks to authorities due to the illicit nature of their activities. Beyond setting up honeypots and luring users, it takes minimal effort to infect them.

404 Media discovered that one of these Fin7-run websites was listed on a major porn aggregator site, increasing its potential victim base. The aggregator site, which is frequently visited by people searching for nonconsensual image-sharing platforms, helped direct unsuspecting users to Fin7’s malware-infected domains.

In response to questions from 404 Media, Hostinger, the domain registrar for most of the fraudulent sites, blocked access to these domains.

404 Media points out that Fin7 has a long history of sophisticated cyberattacks, including the creation of fake penetration testing companies to trick victims into hacking on their behalf.

Despite claims by the U.S. Department of Justice last year that “Fin7 as an entity is no more,” this recent discovery confirms the group is still active and innovating new ways to ensnare victims, as noted by 404 Media.

Edwards will present Silent Push’s full findings at the Virus Bulletin cybersecurity conference this week.