The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

EvilAI

Oct 14, 2025 1:18:06 PM / by The Hivemind

EVILAI2025Verticals Targeted: Manufacturing, Government, Healthcare, Technology, Retail, Education, Financial, Construction
Regions Targeted: India, US, Europe, Brazil, Canada
Related Families: None

Executive Summary

The EvilAI malware campaign leverages AI-generated code and deceptive applications with valid digital signatures to infiltrate systems globally, targeting critical industries like manufacturing, government, and healthcare. By mimicking legitimate software and employing sophisticated obfuscation, EvilAI evades detection, exfiltrates sensitive data, and maintains persistent control via encrypted C2 communications, posing a significant threat to organizations worldwide.

Key Takeaways

  • EvilAI uses AI-generated JavaScript code in Node.js environments, obfuscated with techniques like control flow flattening and Unicode escape sequences to bypass traditional security tools.  
  • The campaign has impacted 114 systems, with India and the United States reporting the highest infection counts.  
  • Manufacturing, government, and healthcare are the most affected sectors, highlighting EvilAI’s broad and indiscriminate attack strategy.  
  • Encrypted AES-256-CBC channels enable continuous communication with C2 servers, facilitating file downloads, registry manipulation, and process execution.  

What is EvilAI?

The rapid rise of AI-augmented malware has reshaped the cyberthreat landscape, with the EvilAI campaign exemplifying how adversaries exploit cutting-edge technology to craft stealthy, scalable attacks. Trend Micro’s recent analysis reveals a sophisticated operation that disguises malicious payloads within seemingly legitimate applications, leveraging AI-generated JavaScript code executed via Node.js to infiltrate systems across multiple continents. This campaign, tracked since late August 2025, targets a diverse range of industries, from manufacturing to healthcare, and employs advanced evasion techniques to maintain persistent access while evading detection.  

EvilAI’s infection chain begins with trojans masquerading as productivity tools. These applications, distributed through malicious websites, SEO manipulation, and social media promotions, feature polished interfaces and functional features to deceive users. Many carry valid digital signatures from newly registered entities like App Interplace LLC and Byte Media Sdn Bhd, lending an air of legitimacy that bypasses initial scrutiny. Once installed, these trojans execute a JavaScript payload via Node.js, dropped in the user’s temporary directory with names like “[GUID]or.js.” The payload establishes persistence through scheduled tasks and registry Run key entries, ensuring daily execution at 10:51 AM and every four hours thereafter.  

The malware’s technical sophistication lies in its AI-driven obfuscation. Using large language models, attackers generate code with control flow flattening, Unicode escape sequences, and MurmurHash3-based anti-analysis loops that execute only once but appear infinite to static analysis tools. These techniques, combined with meaningless variable names and self-cleaning routines, significantly hinder reverse engineering. EvilAI further leverages Windows Management Instrumentation (WMI) to enumerate browser processes like Microsoft Edge and Chrome, terminating them to facilitate credential theft by duplicating “Web Data” and “Preferences” files from browser profiles.  

Network communications are secured with AES-256-CBC encryption, using the malware’s unique instance ID as a cryptographic key. The C2 infrastructure supports a continuous command loop, processing JSON payloads for file downloads, registry modifications, process execution, and script handling. This modular design allows EvilAI to act as a stager, potentially deploying secondary infostealer payloads. 

IOCs

PolySwarm has multiple samples of EvilAI.

 

ad0655b17bbdbd8a7430485a10681452be94f5e6c9c26b8f92e4fcba291c225a

9f369e63b773c06588331846dd247e48c4030183df191bc53d341fcc3be68851

cf45ab681822d0a4f3916da00abd63774da58eb7e7be756fb6ec99c2c8cca815

 

You can use the following CLI command to search for all EvilAI samples in our portal:

$ polyswarm link list -f EvilAI

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: EvilAI malware, AI-generated trojans, Node.js malware, credential stealers, AES-256-CBC encryption, social engineering attacks, infostealer payloads

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More