The interest in generative AI shows no signs of slowing down – and now cybersecurity researchers are warning Cisco Talos for a new wave of attacks masked behind popular AI services.

Cisco Talos, Cisco’s cyber threat analysis and research organization, has examined a new wave of ransomware attacks where attackers masquerade as emails from popular AI services. Services exploited include ChatGPT, InVideo AI, and Nova AI.

The mailing lures users to visit a fake site designed to look like the company's own and download software. An "installation package" for ChatGPT 4.0 actually contained the widespread ransomware program LuckyGhO$t which was first observed in beginning by 2025.

Advertisement

In the case investigated, the file contained, in addition to the program, also legitimate AI tools which makes it possible to bypass antivirus programs. When LuckyGh0$t is activated, smaller files are encrypted, while larger files are deleted and replaced with junk files – in order to restore the files, the victim is demanded to pay a ransom.

Also the sales tool Novaleads and The video generator InVideoAI has been similarly exploited to infect consumer devices. In these cases, the ransomware CyberLock and Numero, a program that manipulates the Windows graphical user interface, are used.

“There is a startlingly large amount of AI-themed scams right now, but it is not surprising at the same time as it is one of the fundamental success factors for criminals. Professional cybercriminals are, and always have been, very skilled at determining what people find interesting and want to know more about. When AI services are used by a large part of the population, the risk is always greater that you reach many unsuspecting users if they receive a mailing from a service they may use daily,” says Henrik Bergqvist, cybersecurity expert at Cisco Sweden.

Cisco Talos recommends being vigilant about emails even from services you use, always verifying that a web address in a link leads to a legitimate site, only downloading software from official sources or trusted app stores, and keeping your devices' security features enabled and updated.