How Russian hackers used deepfake nude “generator” sites to spread malware

A notorious Russian hacking group, FIN7, has been caught running a network of fake deepfake nude “generator” websites designed to infect users with malware.

These sites, which claimed to use AI technology to generate fake nude images of individuals from clothed photos, were actually lures to spread malicious software.

FIN7, known for its expertise in cybercrime, has been active since 2013 and has strong ties to ransomware gangs, including DarkSide, BlackMatter, and BlackCat.

FIN7’s deepfake malware trap
FIN7’s new tactic involves websites offering what they call AI-powered “deepfake nude generators.” These sites claim to allow users to upload photos and generate fake nude images, a controversial technology that has caused harm to many by creating explicit images without consent. Despite being outlawed in various regions, interest in this technology remains high, which hackers have now exploited.

More from Tech

How ChatGPT is becoming everyone’s BFF and why that’s dangerous America ready for self-driving cars, but it has a legal problem

The deepfake nude websites created by FIN7 are essentially honeypots, drawing in users who are interested in creating non-consensual explicit images of others. These sites promise a free trial or download, but instead, they trick visitors into downloading malware.

According to cybersecurity firm Silent Push, FIN7 operated sites under names like “aiNude[.]ai”, “easynude[.]website”, and “nude-ai[.]pro.” Each site featured a similar design and offered the same fake service.

After users upload their photos, they are redirected to another page, where they are prompted to download the “generated” image, only to be given a password-protected file from a third-party link, such as Dropbox.

Impact Shorts

More Shorts

America ready for self-driving cars, but it has a legal problem

Alibaba, Baidu begin using own AI chips as China shifts away from US tech amid Nvidia row

However, instead of the promised deepfake nude, the downloaded file contains malware. The malicious software, called Lumma Stealer, is an information-stealing tool that siphons sensitive data such as saved passwords, cookies from web browsers, and cryptocurrency wallets. Other variations of these sites have been found to distribute malware such as Redline Stealer and D3F@ck Loader, both notorious for stealing personal data from compromised computers.

FIN7’s broader campaigns
While Silent Push reported that all the known deepfake nude sites have since been taken down, FIN7’s malicious activities don’t end there. The group has been involved in a variety of other cyber campaigns, including distributing malware like NetSupport RAT by tricking users into installing malicious browser extensions. FIN7 has also been caught spoofing popular brands and applications such as Zoom, Fortnite, Canon, and others, distributing malware through SEO tactics and online advertising.

The hacking group was recently exposed for selling a custom-built tool called “AvNeutralizer” to other criminals, which was used to disable endpoint detection and response (EDR) software during cyberattacks. FIN7 continues to pose a significant threat to businesses and individuals alike, having also been linked to phishing attacks targeting IT staff and ransomware attacks on large organisations.

This recent deepfake scam is just one example of how cybercriminals are evolving their tactics, exploiting controversial technologies and human curiosity to launch more sophisticated attacks.