AI Nude Photo Generator Delivers Infostealers Instead of Images

The FIN7 group is mounting a sophisticated malware campaign that spans numerous websites, to lure people with a deepfake tool promising to create nudes out of photos.

The notorious
FIN7 threat group
is combining artificial intelligence (AI) with social engineering in an aggressive, adult-themed threat campaign that dangles lures for access to technology that can deepfake nude photos — all to fool people into installing infostealing malware.
The powerful Russian financial cybercrime group has created at least seven websites that advertise for whats called a DeepNude Generator, which promises to use deepfake technology transform any photo into a nude representation of the person pictured, according to
new research
from the threat hunters at Silent Push.
People can either download the generator via the site or sign up for a free trial, demonstrating the sophistication of the scam. But instead of receiving the tool, they end up downloading malicious payloads such as the stealers Lumma and Redline, which can be used to deliver further malware such as ransomware, the researchers said.
Given the provocative lure, organizations are vulnerable to the campaign, as it may entice unsuspecting employees to download malicious files. These files may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy ransomware, according to a blog post about the research.
Meanwhile, FIN7 also continues to promote an existing malvertising campaign that targets corporate users with lures to content by popular brands — including SAP Concur, Microsoft, Thomson Reuters, and FINVIZ stock screening — to spread the
NetSupport RAT
and .MSIX malware, according to Silent Push. The researchers identified a number of active IPs and thus active new websites hosting the ploy, which asks people to download a fake required browser extension, which is actually a malicious payload, to view content related to the brands.
The DeepNude Generator campaign demonstrates particularly sophisticated thought and planning on the part of FIN7, which developed at least seven dedicated websites URLs —such as aiNude[.]ai, easynude[.]website, and ai-nude[.]cloud — to make it appear convincing.
There is also evidence that FIN7 is employing search engine optimization (SEO) to keep users engaged and to rank their honeypots higher in search results by using footer links to Best Porn Sites on its sites. Those links direct victims to other malicious sites dangling the same lure.
Moreover, the group invested effort in creating two website versions for promoting the deepfake tool. The first involves a DeepNude Generator free download, and the second offers site visitors a DeepNude Generator free trial, each with a different attack flow.
The first uses a simple user flow that uses a free download link leading users to a new domain featuring a Dropbox link or another source hosting a malicious payload, according to Silent Push.
The second attack flow prompts users via a free trial button to upload an image to test the generator. If this is done, the user is next prompted with a “trial is ready for download” message, with a corresponding pop-up requires the user to answer the question: The link is for personal use only, do you agree?
If the user agrees and clicks download, they are served a .zip file with a malicious payload that leads to the
Lumma Stealer
, and which uses a DLL side-loading technique for execution, according to Silent Push.
The two campaigns demonstrate that FIN7 — a cybercrime collective also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group thats been active since 2012 — remains an imminent threat despite
many attempts by law enforcement
to
shut it down
, or at least significantly disrupt it. It also shows a tenacity on the groups part to evolve with modern technology and psychological tactics to create more sophisticated ways to spread malware, the researchers said.
Indeed, FIN7 has long been known for its savvy combination of malware and social engineering, having mounted a slew of successful,
financially motivated attacks
against global organizations that have hauled in well over $1.2 billion — and counting — for the criminal enterprise.
To help organizations combat threats from FIN7 and other organized cybercriminal groups, developing indicators of attack based on the groups tactics, techniques, and procedures (TTPs) is one method. Also, training employees to be aware of these increasingly elaborate social engineering tactics that threat groups use, and blocking the download of any unknown any files from the Internet onto a machine connected to a corporate network also can help enterprises avoid compromise by sophisticated threat campaigns.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
AI Nude Photo Generator Delivers Infostealers Instead of Images