Introduction
Cybercriminals are increasingly leveraging advanced techniques to bypass email security measures, utilizing innovative tools and methods to enhance the effectiveness of their attacks [6]. This trend is characterized by the use of malicious code embedded in image files, the deployment of Malware-by-Numbers-Kits, and the application of Generative AI (GenAI) to streamline and scale operations.
Description
Cybercriminals are increasingly employing innovative methods to circumvent email security measures [3], particularly by embedding malicious code within image files hosted on reputable websites [2], such as archive.org [2] [5], and utilizing Malware-by-Numbers-Kits alongside Generative AI (GenAI) to enhance their attack strategies [7]. These tools streamline the creation of new attack components [7], significantly reducing the time and skills required for execution [7]. Recent research indicates that these tactics have led to a significant increase in the effectiveness of email threats [3], with at least 11% of such threats successfully evading one or more email gateway scanners [3]. Executables remain the most common method of malware delivery [2] [7], accounting for 40% of cases [2], followed by archive files at 34% [2] [7]. Notably, there has been a significant increase in the use of lzh files, which constituted 11% of analyzed archive files [7], particularly targeting Japanese-speaking users [2] [7].
Malware is frequently delivered through phishing emails disguised as invoices or requests for quotations [4], often containing malicious archive files that include NET executables or JavaScript files designed to decode and execute further harmful code [4]. For instance [4], the VIP Keylogger records keystrokes [4], extracts credentials [4], captures clipboard data [4], and takes screenshots [4], while the 0bj3ctivity Stealer exfiltrates sensitive information such as passwords and credit card details [4]. Recent campaigns have also observed the spread of the XWorm remote access trojan (RAT), which employs HTML smuggling techniques to deliver malware [2] [4]. The loader used in this campaign shows signs of being developed with the assistance of GenAI [2], featuring detailed descriptions and structured HTML design [2] [7], indicating a sharing of malware kits among different groups [6].
Attackers are increasingly hiding malicious code in images to evade detection by network security measures that rely on file reputation. This tactic allows them to bypass security systems [5], making the malicious files appear harmless when downloaded from reputable sources. The code is executed via PowerShell scripts that download and run NET executables [4]. Additionally, indications suggest that GenAI has been utilized to create HTML files characterized by extensive comments and designs reminiscent of outputs from AI models like ChatGPT [4]. This use of GenAI enhances the ability of threat actors to scale their operations and create diverse malware variants [4], potentially increasing infection rates [4].
The landscape of cybercrime is evolving [4], with threat actors diversifying their tactics to evade detection by utilizing various vectors and file formats [4]. The commodification of cybercrime is on the rise [4], facilitated by the availability of malware kits and user-friendly tools [4], which may be further accelerated by AI-driven technologies in the future [4]. Financially motivated adversaries are expanding their operations [1], employing AI-generated text to improve the quality of spear-phishing emails through better language translation [1], spelling [1], and grammar [1], making them more convincing [1]. Furthermore, AI-generated images are being used to create realistic fake social media profiles for reconnaissance purposes [1].
Groups like Kimsuky have been observed employing AI-enabled techniques for vulnerability research and crafting more convincing phishing emails. Once they gain access to a target environment [1], they utilize a range of established tactics [1], techniques [1] [2] [4] [5] [6], and procedures (TTPs) [1]. Additionally, cybercriminals are compromising video game cheat tools and modification repositories on platforms like GitHub [5], incorporating executable files that contain Lumma Stealer malware [5], which targets sensitive information such as passwords [5], cryptocurrency wallets [5], and browser data [5]. Users often disable their security measures to access cheats [5], increasing their vulnerability to infections [5].
To defend against these threats [1], organizations can implement vulnerability security solutions and patch management systems [1], while email security tools can help mitigate risks associated with phishing [1]. Basic cyber hygiene practices [1], such as phishing and social engineering training [1], are also crucial [1]. The Tidal Cyber platform provides insights into an organization’s protection against various TTPs and offers recommendations for improving the effectiveness of existing security tools [1]. By synthesizing threat intelligence with coverage maps [1], the platform aids defenders in prioritizing their security measures to enhance their defenses against AI-based attacks in a rapidly evolving threat landscape [1].
Conclusion
The evolving tactics of cybercriminals, driven by AI and innovative methods, pose significant challenges to traditional security measures. Organizations must adopt comprehensive security strategies, including advanced threat intelligence and robust cyber hygiene practices, to mitigate these risks. As AI technologies continue to advance, the potential for more sophisticated and widespread cyber threats will likely increase, necessitating ongoing vigilance and adaptation in cybersecurity defenses.
References
[1] https://www.tidalcyber.com/blog/build-resilience-as-threat-actors-use-ai-to-lower-the-barriers-to-entry
[2] https://www.hp.com/us-en/newsroom/press-releases/2025/hiding-in-plain-site-attackers-sneaking-malware-into-images-on-websites.html
[3] https://www.infosecurity-magazine.com/news/hackers-image-malware-genai-evade/
[4] https://news.hackreports.com/hackers-hide-malware-in-images-to-deploy-vip-keylogger-and-0bj3ctivity-stealer/
[5] https://betanews.com/2025/01/16/perilous-as-a-picture-attackers-sneak-malware-into-website-images/
[6] https://www.msspalert.com/news/mssp-market-update-orca-sensor-boosts-cdr
[7] https://www.zdnet.de/88419962/angreifer-schmuggeln-malware-in-bilder-auf-website/
