Cybercriminals are using SEO to get popular fake AI tools loaded with malware to rank high on Google
- Fake AI tools climb search rankings to spread ransomware and malware
- Cybercriminals are targeting tech marketing and B2B users with cloned installers
- Talos has uncovered threats that are using branding tricks and search manipulation tactics
Cybercriminals are already using AI to make phishing emails more convincing, and now they’re manipulating search engine results to spread malware disguised as AI tools.
New research from Cisco Talos claims these fake downloads appear to be legitimate software, often promoted through search engines and social platforms, and are predominantly targeting users in the tech, marketing, and B2B sales industries.
Talos recently uncovered several threats distributed this way, including ransomware families CyberLock and Lucky_Gh0$t, as well as a destructive new malware called Numero.
SEO manipulation
Talos says these threats use familiar branding, fake websites, and misleading metadata to trick users into downloading and running infected software.
In one case, attackers created a clone of a known AI service, “NovaLeads,” and used SEO manipulation to rank the fake site near the top of search results.
When victims downloaded what appeared to be the legitimate installer, it executed CyberLock ransomware, written in PowerShell, which encrypted targeted files and demanded a $50,000 ransom in Monero. The ransom note falsely claimed the payment would fund humanitarian aid.
Lucky_Gh0$t ransomware, another discovery, was bundled with real Microsoft AI tools inside a self-extracting archive named “ChatGPT 4.0 full version – Premium.exe.” Once executed, it encrypted files smaller than 1.2GB and deleted or corrupted larger ones.
The newly identified malware, Numero, is especially destructive. Disguised as an installer for a video AI tool, it repeatedly runs a loop that corrupts the Windows interface by overwriting GUI elements with numeric strings, rendering systems unusable.
These campaigns exploit rising demand for AI software and target sectors most likely to adopt these tools quickly. With data centers, businesses, and individuals increasingly reliant on AI platforms, the potential harm from such threats is growing.
Talos warns users to be cautious when searching for AI tools online and to only download software from trusted vendors.
You might also like
Fake AI tools climb search rankings to spread ransomware and malware Cybercriminals are targeting tech marketing and B2B users with cloned installers Talos has uncovered threats that are using branding tricks and search manipulation tactics Cybercriminals are already using AI to make phishing emails more convincing, and now they’re manipulating…
