EvilAI: From Fake App to Full C2 | #ransomware | #cybercrime

Summary:

In March 2026, Halcyon observed a surge in EvilAI activity across our customer networks in Americas and Europe. EvilAI is an active and evolving malware campaign leveraging AI-generated code and social engineering to disguise malware as legitimate applications that bypass security, steal credentials, and persistently compromise organizations worldwide.  

The campaign started in August 2025, and Trend Micro described the threat actors then as “highly capable” due to their ability to blur the line between authentic and deceptive software. To date, the actors are unknown, and the tools are not available as a service.  

The Halcyon Ransomware Operations Center (ROC) blocked 68 EvilAI attempts against Halcyon clients during March 2026 alone. The attempted C2 connections were encrypted payloads designed to allow hidden and modular capabilities. In all cases, EvilAI evaded all other endpoint security solutions other than Halcyon, and the Ransomware Operations Center contacted each customer immediately and worked to confirm there were no other infections in the respective environments.  

Background:

Dubbed by TrendMicro in September 2025, EvilAI is a malware campaign, first discovered in 2025, that leverages malicious installers that are distributed via newly registered websites, search engine optimization (SEO)-manipulated search results, forums, and paid advertisements. Known fake apps distributed used in the campaigns include AppSuite, Epi Browser, JustAskJacky, Manual Finder, OneStart, PDF Editor, Recipe Lister, and Tampered Chef. These malicious apps are notable because they are fully functional and operate exactly as advertised while carrying out nefarious activities in the background.  

According to PolySwarm, EvilAI’s operators “[use] large language models with [anti-analysis loops].”  Any attempt to alter or skip these loops disrupts hash calculations, preventing proper malware execution and effectively forcing analysts to rely on dynamic rather than static analysis for reverse engineering. To enhance legitimacy, the operators use certificates from disposable companies (i.e., where they register a real but hollow legal entity such as an LLC with no employees, no products, and no real business activity) as older signatures are revoked, suggesting that the campaign may also rotate certificates to avoid revocation-based detections.

Details:

Halcyon anti-ransomware protects against the EvilAI campaign tools, which are used by Initial Access Brokers to compromise environments and sell that access to ransomware groups.  For situational awareness, the below is an example if a user installs one of the fake applications without protection:

1. Persistence: EvilAI often creates a scheduled task named sys_component_health_{UID}, configured to run every four hours and daily at 10:51 AM, and writes a registry Run key entry to guarantee re-execution after reboots.

2. Browser Credential Theft: EvilAI apps forcibly terminates Microsoft Edge and Chrome browser processes and attempt to disable specific security products, including those from Bitdefender, Kaspersky, and Fortinet.

3. Encrypted C2 Communication: EvilAI initiates communication with its C2 server by sending encrypted session data including activity status and timestamps, creating JSON payloads, encrypting the data, transmitting it over HTTPS, and parsing the server’s encrypted response to extract command data.  

4. Staging Secondary Payloads: The malware acts as a stager, gaining initial access and establishing persistence, taking steps to enumerate installed security software before deploying additional payloads. The most widely confirmed and documented secondary payload thus far is ManualFinderApp.exe that drops a combined backdoor and credential theft capabilities. An additional potential future secondary payload could be ransomware (e.g., Qilin, Akira, or Play).

Mitigation:

• Deploy Dedicated Anti-Ransomware Solution: Deploy dedicated anti-ransomware defenses capable of detecting and stopping threats before encryption begins. Halcyon focuses on certificate metadata, PDF conversion applications with supply chain compromise, and metadata within EvilAI Fake Apps  [M1038] [M1040]. 

• User Training: The user interview is both a root cause finding exercise and the natural entry point into this mitigation. User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction by creating a human firewall by empowering users to be active components of the organization’s cybersecurity defenses. The interview reveals how the user encountered the lure (malvertising, search result, forum link, social media) and informs what training gaps need to be addressed [M1017].

References:

Source Summary:

This Alert is based on Halcyon observations, open-source information, and ongoing research. Findings reflect our current understanding of threat actor activity and may be updated as new evidence emerges. Assessments may be revised as additional evidence becomes available.

The Halcyon Ransomware Research Center unites experts, drives smart policies, and delivers actionable intelligence to detect, disrupt, and defeat ransomware. Explore the Center’s latest reports, analysis, and resources here.