Full Report
Threat actors are hijacking Google search results for popular AI platforms like ChatGPT and Luma AI to deliver malware, in a sprawling black hat SEO campaign uncovered by Zscaler’s ThreatLabz. The attack campaign is equal parts clever and insidious: attackers spin up AI-themed websites optimized for search engine ranking, then redirect unsuspecting visitors into a web of fingerprinting scripts, cloaked download pages, and payloads containing some of today’s most active infostealers—Vidar, Lumma, and Legion Loader. The strategy? Ride the hype wave of AI search traffic to quietly drop malware onto the systems of curious users. From Google Search to Malware in Three Clicks The campaign kicks in when a user searches for terms like “Luma AI blog” or “Download ChatGPT 5” and lands on a well-ranked but fake AI website. These malicious sites are built using WordPress and are SEO-optimized to game search algorithms—classic black hat SEO in action. [caption id="attachment_103358" align="aligncenter" width="1080"] Example Google search result for AI-based topics leading to malware (Source: Zscaler ThreatLabz)[/caption] Once loaded, the page deploys JavaScript that fingerprints the browser, collects details like user agent, resolution, cookies, and click behavior, and then sends this data (encrypted via XOR) to a remote server at gettrunkhomuto[.]info. From there, the server analyzes the visitor’s data and determines which final destination they should be sent to. It might be a ZIP archive packed with malware or a less-threatening PUA or adware site for fallback monetization. According to Zscaler, this redirection hub—gettrunkhomuto[.]info—has already handled over 4.4 million hits since January 2025. Weaponized SEO + AWS + Signal = Obscurity What makes this campaign particularly evasive is its use of legitimate infrastructure. The redirect logic is hosted on AWS CloudFront, lending credibility to what otherwise might raise red flags in security scanners. Add in advanced techniques like browser fingerprinting, anti-adblocker scripts, and conditional redirect logic based on IP geolocation, and you’ve got a sophisticated traffic laundering operation. These deceptive scripts will even back off if ad blockers like uBlock or DNS filtering tools are detected. If not? Users get redirected to password-protected malware loaders disguised as software installers. The Payloads: Vidar, Lumma, and Legion Loader Once the user is redirected and interacts with the final download page, they’re handed malware tucked inside oversized (800MB+) installer packages. The bloated size is intentional—it helps evade sandbox environments and AV engines that skip file analysis past certain size thresholds. Vidar and Lumma Stealer, both well-known infostealers, arrive in NSIS installers containing a mix of fake .docm files, AutoIT scripts, and obfuscated loaders. Once executed, these loaders scan for antivirus processes like Avast, ESET, Sophos, or Webroot—and kill them using simple Windows tools (tasklist and findstr) before installing the final payload. The attack chain ends with browser credential theft, clipboard hijacking, and cryptocurrency wallet scraping—standard fare for Lumma and Vidar, but now with a far more sophisticated delivery mechanism. Also read: Threat to Security: Lumma Infostealer Unlocks Unstoppable Access to Google Cookies Then there’s Legion Loader, which arrives in a multi-ZIP format (yes, really). The final MSI installer masquerades as a utility suite with names like “Frankwo Utilities” or “Kraew Loop Sols.” In the background, the malware executes DLLs via sideloading, hollowing out legitimate processes like explorer.exe, and dropping malicious browser extensions capable of siphoning off crypto. It even includes a component named DataUploader.dll that phones home to the C2 server with system info and requests passwords for encrypted RAR payloads—again, designed to evade detection by avoiding hardcoded indicators. SEO, AI, and the Future of Malware Distribution This campaign’s novelty isn’t the malware—Vidar, Lumma, and Legion Loader have been around for years. What’s new is the delivery: threat actors are leaning hard into AI’s meteoric rise in popularity, weaponizing curiosity about generative models into a malware vector. AI-related keywords now drive search traffic at a scale attackers can’t ignore, according to Deepen Desai, CISO at Zscaler. If they can get fake sites ranked for popular queries, that’s a guaranteed funnel to distribute malware at scale. And they’re right. This is black hat SEO at its most strategic, using legitimate infrastructure like CloudFront and obfuscated payloads wrapped in trusted formats. With the rapid adoption of AI tools—and the general lack of scrutiny around unofficial downloads—this vector is likely to explode in the coming months. So What Can You Do? If you're casually Googling "download ChatGPT desktop" or "Luma AI tools," be wary of where those links lead. As always, avoid downloading tools from third-party sites, check URLs carefully, and watch for shady ZIP archives with passwords. And for defenders: start flagging unusual traffic to gettrunkhomuto[.]info, monitor DNS queries related to AI-themed domain clusters, and consider integrating browser fingerprinting heuristics into sandbox evaluation. In the age of AI, malware doesn't need to be smarter. It just needs to rank higher than you expected.
Analysis Summary
# Tool/Technique: Vidar, Lumma, and Legion Loader used in AI Search Poisoning Campaign
## Overview
This summary details a malware distribution campaign where threat actors are poisoning Google search results for popular AI tools to lure victims into downloading infostealer malware. The campaign leverages black hat SEO techniques to rank malicious download sites highly, facilitating the distribution of known malware families like Vidar, Lumma, and Legion Loader.
## Technical Details
- **Type:** Malware families (Vidar, Lumma, Legion Loader) and Distribution Technique
- **Platform:** Windows (implied by common infostealer targets like Chrome, Edge, and running processes like `explorer.exe`)
- **Capabilities:** Information theft (credentials, crypto), persistence, command and control communication.
- **First Seen:** Not explicitly mentioned for the campaign start date, but the malware families (Vidar, Lumma, Legion Loader) have been active for years.
## MITRE ATT&CK Mapping
The description heavily implies the initial access, execution, and credential access phases of an attack chain.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If delivered via malicious file attachment in a targeted context)
- T1566.002 - Spearphishing Link (The primary delivery mechanism via poisoned search results)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- **TA0009 - Collection**
- T1005 - Data from Local System (Implied by infostealer action)
## Functionality
### Core Capabilities
The campaign utilizes SEO to funnel traffic to malicious sites disguised as official AI tool download pages. The delivered payloads are known infostealers and loaders designed to:
1. **Install Persistent Artifacts:** Executing malicious files like `DataUploader.dll` injected into legitimate processes such as `explorer.exe`.
2. **Credential Evasion:** Avoiding hardcoded indicators to stay under the radar.
### Advanced Features
- **Evasion Techniques:** Use of `DataUploader.dll` that phones home to the C2, sends system information, and requests passwords for encrypted RAR payloads, suggesting layered delivery and defense evasion.
- **Delivery Mechanism:** Strategic use of **Black Hat SEO** targeting high-intent AI keywords ("download ChatGPT desktop," "Luma AI tools").
- **Infrastructure Abuse:** Using legitimate infrastructure like **CloudFront** to host malicious content or serve obfuscated payloads wrapped in trusted formats (e.g., ZIP archives).
- **Payload Diversity:** Deploying multiple established infostealers, including **Vidar**, **Lumma**, and **Legion Loader**.
- **Browser Extension Injection:** Dropping malicious browser extensions capable of **siphoning off cryptocurrency** information.
## Indicators of Compromise
*Note: Specific file hashes or hashes for the described campaign mechanics are not provided in the text.*
- **File Hashes:** N/A (Not provided)
- **File Names:** `DataUploader.dll` (a component mentioned in the context)
- **Registry Keys:** N/A (Not provided)
- **Network Indicators:** `gettrunkhomuto[.]info` (Explicitly mentioned C2/domain to monitor)
- **Behavioral Indicators:**
- Unusual traffic to the listed domain.
- DNS queries related to AI-themed domain clusters.
- Installation of untrusted browser extensions designed for crypto theft.
- Injection into processes like `explorer.exe`.
- Use of password-protected ZIP archives containing payloads.
## Associated Threat Actors
The article does not explicitly name a specific threat actor group, but it labels the activity as being conducted by general "Hackers" leveraging black hat SEO.
## Detection Methods
- **Signature-based detection:** Signatures for known malware families (Vidar, Lumma, Legion Loader) should be current.
- **Behavioral detection:** Flagging unusual traffic to the C2 domain, monitoring for newly introduced browser extensions, and detecting shellcode injection into `explorer.exe`.
- **YARA rules:** (Not provided, but recommended for known malware family signatures).
## Mitigation Strategies
- **Prevention measures:** Avoid downloading tools from third-party sites, especially results from highly ranked, non-official search engine results for trending software.
- **Hardening recommendations:**
- Implement domain reputation checks upon clicking search results.
- Monitor DNS queries for newly registered or suspicious AI-themed domains.
- Integrate browser fingerprinting heuristics into sandbox evaluations to detect obfuscated or trusted-format payloads.
- Be wary of ZIP archives that require passwords, as they are often used to conceal malicious content.
## Related Tools/Techniques
- **Malware Families:** Vidar Infostealer, Lumma Infostealer, Legion Loader.
- **Techniques:** Black Hat SEO, Search Engine Poisoning, Supply Chain Compromise (via search funnel).