Russian Hacking Group FIN7 Exploits AI Nude Generator Trend to Spread Malware

The Latest Way to Catch a Virus: AI-Driven Porn Sites - Decrypt

Ever since the commercial internet began to reach mainstream users, porn sites have always been used to carry malware. The latest trend: Russian hackers are using AI-driven "deepnude generators" -- applications that create nude images from user-uploaded pictures -- to infect the stupidly horny. Worst of all, the hackers appear to be connected to FIN7, a notorious cybercrime group active since 2012. Last year, the U.S. Department of Justice pronounced the gang dead following the arrest, conviction, and jailing of three members, including FIN7's alleged "manager," a Ukrainian national named Fedir Hladyr. The hacker group was believed to have caused $3 billion in damage worldwide. Last week, Virginia-based security company Silent Push published a report claiming that the group is back -- and worse than ever. Silent Push reported that FIN7 has recently set up some 4,000 fake domains and subdomains, including at least seven "deepnude generator" websites described as "honeypots of malware." "FIN7 AI deepfake honeypots redirect unsuspecting users who click on the 'free download' offer to a new domain featuring a Dropbox link or another source hosting a malicious payload," the Silent Push report said, noting that all of the sites have since been taken down. However, they "believe it's likely new sites will be launched that follow similar patterns." The websites included names like easynude(.)website, ai-nude(.)cloud, and nude-ai(.)pro.Detecting malware attacks is challenging, San Jose State University College of Engineering Professor "It's just changing the domain, and the code is the same," Banafa said. "Even if you confiscate the server farms in a different country, it's very easy to get it done again." Porn sites are a common attack vector, he said. "This is the weakest point -- the weakest point of the network is the human," he explained. While the AI twist is new, the broader trend definitely isn't. In late March 1999, a computer programmer named David Lee Smith used a hijacked America Online account to spread the "Melissa" virus via an internet newsgroup called "alt.sex." Once downloaded, the malware -- which cost an estimated $80 million to clean up -- took over the user's PC and sent infected emails to the victim's contacts. In the early 2000s, cybercriminals began using adult websites to distribute Trojan horses and spyware disguised as video players or codecs. These programs, like the ILOVEYOU virus, recorded keystrokes and changed browser settings without the user's knowledge. Last month, the city of San Francisco filed a lawsuit against 18 illegal deepfake websites and apps that offered to undress or "nudify" women and girls. Collectively, the lawsuit said, the sites have been visited over 200 million times in the first six months of 2024. "This investigation has taken us to the darkest corners of the internet, and I am absolutely horrified for the women and girls who have had to endure this exploitation," San Francisco City Attorney David Chiu said at the time. "Generative AI has enormous promise, but as with all new technologies, there are unintended consequences and criminals seeking to exploit the new technology." FIN7 is the name security researchers gave the group when it was first identified, and it stands for Financially Motivated Threat Group 7. The hackers refer to their group by many different names, including Carbanak or the Navigator Group. It's believed to be tied to Russia based on the fact that it recruits Russian speakers and targets mostly U.S. and European corporate users as a way to infiltrate their work systems. Likewise, Russia itself has been largely uncooperative in helping catch the perpetrators, according to law enforcement officials. FIN7's shenanigans have gone far beyond porn sites. Security experts believe the group has stolen millions by infiltrating point-of-sale systems in the hospitality and food industries to steal customer data and making fraudulent bank transfers. U.S. companies hit by FIN7 include Chipotle, Chili's, and Arby's. According to an FBI report, in the U.S. alone, FIN7 stole more than 15 million customers' card data from over 6,500 point-of-sale terminals between 2016 and 2017. The group has even set up fake security companies, including Combi Security and Bastion Secure, to target victims. These fake firms aimed to deceive cybersecurity professionals into working for the criminal organization under the guise of performing penetration testing, instead using them to develop malware and conduct network intrusions.

Russian Hackers Push AI Nude Image Generators to Spread Malware

A Russian hacking group is exploiting interest in AI-generated porn to spread malware to unsuspecting users. A group known as FIN7 or Carbanak is circulating the malware through a collection of seven "AI Deepnude" generator websites, according to research from cybersecurity vendor Silent Push. The sites pretend to offer free downloads or free trials for a so-called "Deepnude Generator," which can take existing photos of women, and produce new images that removes their clothing. "Yes, AI is able to nudify images," the sites claim. In reality, the sites try to dupe users into downloading malware programs that can secretly steal passwords, internet cookies, and other sensitive data from their PCs by redirecting them to a new domain that hosts the malicious payload. The hacking group has likely been promoting the sites through search engine queries for porn sites, according to Silent Push, which published its report three months after uncovering evidence that FIN7 had re-emerged despite three group members being arrested. FIN7 was previously known for hacking a wide range of industries to steal payment card data. Silent Push says either the group has revived itself, or someone else is using the gang's old infrastructure, to start a new wave of hacking activity. "Our analysts have discovered legacy FIN7 domains, malware and TTPs (tactics, techniques, and procedures) in the wild, including spearphishing attack vectors that are listed in the federal indictment," the vendor said in July. The good news is that all seven AI nude-generating websites have been taken down. Still, Silent Push warns: "We believe it's likely new sites will be launched that follow similar patterns." The discovery is a reminder cybercriminals often use porn, pirated media, and other popular content to spread malware. FIN7 has also been spreading malware through online advertisements that try to dupe users into installing a malicious browser extension.

Russian Hackers Are Using Fake AI "Nudify" Sites to Steal Data

"They are looking for people who are doing borderline shady things to start with." Multiple sites masquerading as "nudify" services, which use AI to deepfake clothed photographs into often nonconsensual nudes, have been linked to a notorious Russian hacker collective that was believed to be dead. As 404 Media reports, Zach Edwards of the cybersecurity firm Silent Push said that the Russian group Fin7 seems to be behind several websites that use variations of the name "AINude.ai" to trick their mostly male victims into giving them their info without their knowledge. "The deepfake AI software may have an audience of mostly men with a decent amount who use other AI software or have crypto accounts," Edwards told 404. "There's a specific type of audience who wants to be on the bleeding edge of creepy (while ignoring new laws around deepfakes), and who are proactively searching out deepfake AI nude software." Edwards and his colleagues found that these Fin7-linked AI sites contained "infostealer" malware that the site said was necessary to "nudify" images. As its name suggests, infostealer malware targets infected machines by stealing their data and sending them off-server to hackers. Using that data, bad actors like Fin7 can threaten to release personal information -- unless, of course, their victims pay up. While this scheme is relatively run-of-the-mill for shady porn sites -- which the AI nude sites link to as well -- perhaps what's most shocking about Silent Push's finding is that the Russian hackers in question are supposed to be defunct. Last year, the US Department of Justice went as far as to declare that Fin7, an unusually professional outfit that ran fake security fronts and had operatives in both Russia and Ukraine, is "no more" after three of its hackers were charged and sentenced to prison. As this news makes clear, that declaration was premature. This hack's obvious Dropbox links containing the malware files, however, seem far less sophisticated than Fin7's previous work that involved setting up entire shell companies to get away with their scams. "They are looking for people who are doing borderline shady things to start with," Edwards told 404, "and then having malware ready to serve to those people who are proactively hunting for something shady." At the end of the day, it's hard to say who is worse: those trying to almost certainly nudify other peoples' images noncsensually, or those trying to rip the creeps off.

FIN7 hackers launch deepfake nude "generator" sites to spread malware

The notorious APT hacking group known as FIN7 has launched a network of fake AI-powered deepnude generator sites to infect visitors with information-stealing malware. FIN7 is believed to be a Russian hacking group that has been conducting financial fraud and cybercrime since 2013, with ties to ransomware gangs, such as DarkSide, BlackMatter, and BlackCat, who recently conducted an exit scam after stealing a $20 million UnitedHealth ransom payment. FIN7 is known for its sophisticated phishing and social engineering attacks, such as impersonating BestBuy to send malicious USB keys or creating a fake security company to hire pentesters and developers for ransomware attacks without them knowing. So it's not surprising to find that they have now been linked to an intricate network of websites promoting AI-powered deepnude generators that claim to create fake nude versions of photos of clothed individuals. The technology has been controversial due to the harm it can cause to the subjects by creating non-consensual explicit images, and it has even been outlawed in many places in the world. However, the interest in this technology remains strong. FIN7's fake deepnude sites serve as honeypots for people interested in generating deepfake nudes of celebrities or other people. In 2019, threat actors used a similar lure to spread info-stealing malware even before the AI explosion. The network of deepnude generators operates under the same "AI Nude" brand and is promoted through black hat SEO tactics to rank the sites high in search results. According to Silent Push, FIN7 directly operated sites like "aiNude[.]ai", "easynude[.]website", and nude-ai[.]pro," which offered "free trials" or "free downloads," but in reality just spread malware. All the sites use a similar design that promises the ability to generate free AI deepnude images from any uploaded photo. The fake websites allow users to upload photos that they would like to create deepfake nudes. However, after the alleged "deepnude" is made, it is not displayed on the screen. Instead, the user is prompted to click a link to download the generated image. Doing so will bring the user to another site that displays a password and a link for a password-protected archive hosted on Dropbox. While this site is still alive, the Dropbox link no longer works. However, instead of a deepnude image, the archive archive contains the Lumma Stealer information-stealing malware. When executed, the malware will steal credentials and cookies saved in web browsers, cryptocurrency wallets, and other data from the computer. Silent Push also saw some sites promoting a deepnude generation program for Windows that would instead deploy Redline Stealer and D3F@ck Loader, which are also used to steal information from compromised devices. All seven sites detected by Silent Push have since been taken down, but users who might have downloaded files from them should consider themselves infected. Silent Push also identified parallel FIN7 campaigns dropping NetSupport RAT through websites that prompt visitors to install a browser extension. In other cases, FIN7 uses payloads that appear to spoof well-known brands and applications such as Cannon, Zoom, Fortnite, Fortinet VPN, Razer Gaming, and PuTTY. These payloads may be distributed to victims using SEO tactics and malvertising, tricking them into downloading trojanized installers.

A Network of AI 'Nudify' Sites Are a Front for Notorious Russian Hackers

Multiple sites which promise to use AI to 'nudify' any photos uploaded are actually designed to infect users with powerful credential stealing malware, according to new findings from a cybersecurity company which has analyzed the sites. The researchers also believe the sites are run by Fin7, a notorious Russian cybercrime group that has previously even set up fake penetration testing services to trick people into hacking real victims on their behalf. The news indicates that services for producing AI-generated nonconsensual intimate content are becoming enticing enough that hackers feel it is worth the time and effort to build fake versions they can then use to hack people. The news also shows that Fin7 is alive despite the U.S. Department of Justice saying last year that "Fin7 as an entity is no more." Hostinger, the domain registrar for most of the fake nudify sites, blocked the domains after 404 Media sent it a list of questions earlier this week. 404 Media also found that one of the Fin7-run sites was included one of the web's biggest porn site aggregators, potentially putting many people who stumbled across the site at risk.