Cisco Talos uncovers CyberLock ransomware, Lucky_Gh0$t, and Numero malware masquerading as legitimate software and AI tool installers. Learn how these fake installers exploit businesses in sales, tech, and marketing.
Cybersecurity researchers at Cisco Talos have revealed that the increasing presence of Artificial Intelligence (AI) in the business world has opened new opportunities for cybercriminals. Threat actors are hiding malicious software within fake installers for AI tools, tricking businesses into downloading malware. This new wave includes ransomware like CyberLock and Lucky_Gh0$t, and destructive malware called Numero.
According to researchers, these fake AI tool installers are distributed via various online channels, through SEO poisoning (manipulating search engine rankings) so that the fake websites appear at the top of search results. Additionally, social media and messaging platforms like Telegram are used to spread their malicious links.
Businesses, especially those in sales, technology, and marketing, are prime targets because they frequently use legitimate AI tools for automation, data analysis, and customer engagement.
As detailed by Cisco Talos’ report shared with Hackread.com ahead of its publishing on Thursday, May 29, when unsuspecting users download seemingly harmless installers, they unknowingly invite malware onto their systems, putting sensitive business data and financial assets at risk, and eroding trust in genuine AI solutions.
Cisco Talos Exposes Several Threats
CyberLock Ransomware
This ransomware, observed as early as February 2025, poses as a lead monetization AI platform called NovaLeadsAI. Its operators have created a fake website, ‘novaleadsaicom,’ to mimic the real ‘novaleads.app.’ They even offered deceptive “free access” for the first year to lure victims.
Once downloaded, a file named ‘NovaLeadsAI.exe’ deploys the CyberLock ransomware. This ransomware, written in PowerShell and embedded with CSharp code, encrypts various file types, including documents, spreadsheets, images, and videos, and demands a $50,000 ransom in Monero (XMR) cryptocurrency.
As a manipulative tactic, cybercriminals falsely claim the ransom will support humanitarian aid in regions like Palestine, Ukraine, Africa, and Asia. CyberLock also attempts to wipe free space on the hard drive via a built-in Windows tool ‘cipher.exe’., making it harder to recover deleted files.
Lucky_Gh0$t Ransomware
This Yashma ransomware variant (part of the Chaos ransomware series) is distributed through fake ChatGPT installers, usually as ‘ChatGPT 4.0 full version – Premium.exe’. This malicious installer includes a file called ‘dwn.exe’ which is the ransomware, along with legitimate Microsoft AI tools, likely to avoid detection.
Lucky_Gh0$t encrypts files smaller than 1.2GB and also has destructive behaviour for larger files, overwriting them with a single character. Victims are given a personal ID and instructed to use a secure messenger platform for communication.
Numero Malware
This newly discovered destructive malware imitates the installer for InVideo AI, a popular online video creation tool. Compiled in January 2025, it is a window manipulator malware that continuously runs on a victim’s machine, making Windows systems unusable by interfering with their graphical interface. It avoids being detected by checking for common malware analysis tools like IDA, x64 debugger, and OllyDbg.
Given these evolving threats, organizations and individuals must be extremely careful. Always verify the source of AI tools and only download software from trusted vendors.
