Infostealers — malware that steals passwords, cookies, documents, and/or other valuable data from computers — have become 2025’s fastest-growing cyberthreat. This is a critical problem for all operating systems and all regions. To spread their infection, criminals use every possible trick to use as bait. Unsurprisingly, AI tools have become one of their favorite luring mechanisms this year. In a new campaign discovered by Kaspersky experts, the attackers steer their victims to a website that supposedly contains user guides for installing OpenAI’s new Atlas browser for macOS. What makes the attack so convincing is that the bait link leads to… the official ChatGPT website! But how?

The bait-link in search results

To attract victims, the malicious actors place paid search ads on Google. If you try to search for “chatgpt atlas”, the very first sponsored link could be a site whose full address isn’t visible in the ad, but is clearly located on the chatgpt.com domain.

The page title in the ad listing is also what you’d expect: “ChatGPT™ Atlas for macOS – Download ChatGPT Atlas for Mac”. And a user wanting to download the new browser could very well click that link.

The Trap

Clicking the ad does indeed open chatgpt.com, and the victim sees a brief installation guide for the “Atlas browser”. The careful user will immediately realize this is simply some anonymous visitor’s conversation with ChatGPT, which the author made public using the Share feature. Links to shared chats begin with chatgpt.com/share/. In fact, it’s clearly stated right above the chat: “This is a copy of a conversation between ChatGPT & anonymous”.

However, a less careful or just less AI-savvy visitor might take the guide at face value — especially since it’s neatly formatted and published on a trustworthy-looking site.

Variants of this technique have been seen before — attackers have abused other services that allow sharing content on their own domains: malicious documents in Dropbox, phishing in Google Docs, malware in unpublished comments on GitHub and GitLab, crypto traps in Google Forms, and more. And now you can also share a chat with an AI assistant, and the link to it will lead to the chatbot’s official website.

Notably, the malicious actors used prompt engineering to get ChatGPT to produce the exact guide they needed, and were then able to clean up their preceding dialog to avoid raising suspicion.

The infection

To install the “Atlas browser”, users are instructed to copy a single line of code from the chat, open Terminal on their Macs, paste and execute the command, and then grant all required permissions.

The specified command essentially downloads a malicious script from a suspicious server, atlas-extension{.}com, and immediately runs it on the computer. We’re dealing with a variation of the ClickFix attack. Typically, scammers suggest “recipes” like these for passing CAPTCHA, but here we have steps to install a browser. The core trick, however, is the same: the user is prompted to manually run a shell command that downloads and executes code from an external source. Many already know not to run files downloaded from shady sources, but this doesn’t look like launching a file.

When run, the script asks the user for their system password and checks if the combination of “current username + password” is valid for running system commands. If the entered data is incorrect, the prompt repeats indefinitely. If the user enters the correct password, the script downloads the malware and uses the provided credentials to install and launch it.

The infostealer and the backdoor

If the user falls for the ruse, a common infostealer known as AMOS (Atomic macOS Stealer) will launch on their computer. AMOS is capable of collecting a wide range of potentially valuable data: passwords, cookies, and other information from Chrome, Firefox, and other browser profiles; data from crypto wallets like Electrum, Coinomi, and Exodus; and information from applications like Telegram Desktop and OpenVPN Connect. Additionally, AMOS steals files with extensions TXT, PDF, and DOCX from the Desktop, Documents, and Downloads folders, as well as files from the Notes application’s media storage folder. The infostealer packages all this data and sends it to the attackers’ server.

The cherry on top is that the stealer installs a backdoor, and configures it to launch automatically upon system reboot. The backdoor essentially replicates AMOS’s functionality, while providing the attackers with the capability of remotely controlling the victim’s computer.

How to protect yourself from AMOS and other malware in AI chats

This wave of new AI tools allows attackers to repackage old tricks and target users who are curious about the new technology but don’t yet have extensive experience interacting with large language models.

We’ve already written about a fake chatbot sidebar for browsers and fake DeepSeek and Grok clients. Now the focus has shifted to exploiting the interest in OpenAI Atlas, and this certainly won’t be the last attack of its kind.

What should you do to protect your data, your computer, and your money?

• Use reliable anti-malware protection on all your smartphones, tablets, and computers, including those running macOS or Linux.
• If any website, instant message, document, or chat asks you to run any commands — like pressing Win+R or Command+Space and then launching PowerShell or Terminal — don’t. You’re very likely facing a ClickFix attack. Attackers typically try to draw users in by urging them to fix a “problem” on their computer, neutralize a “virus”, “prove they are not a robot”, or “update their browser or OS now”. However, a more neutral-sounding option like “install this new, trending tool” is also possible.

• Never follow any guides you didn’t ask for and don’t fully understand.

• The easiest thing to do is immediately close the website or delete the message with these instructions. But if the task seems important, and you can’t figure out the instructions you’ve just received, consult someone knowledgeable. A second option is to simply paste the suggested commands into a chat with an AI bot, and ask it to explain what the code does and whether it’s dangerous. ChatGPT typically handles this task fairly well.

How else do malicious actors use AI for deception?

• AI sidebar spoofing: a new attack on AI browsers
• Attacks using Syncro & AI-generated websites
• How phishers and scammers use AI
• Trojans masquerading as DeepSeek and Grok clients
• How fraudsters bypass customer identity verification using deepfakes

Kaspersky official blog – ​Read More

• While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware. 
• The actor used the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes. 
• The actor ran a PowerShell script that bypasses User Account Control (UAC), disables Windows Defender, terminates various security, backup, and database services, and deletes all volume shadow copies to prevent system recovery. 
• The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files. 
• This custom encryption method allows DeadLock ransomware to effectively encrypt different file types in enterprise environments while preventing system corruption through selective targeting and anti-forensics techniques, which complicate recovery.

Disabling EDR services via BYOVD technique 

T1211 – Exploitation for defense evasion 

Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload. 

The attack relied on “BdApiUtil.sys”, a legitimate Baidu Antivirus driver containing an Improper Privilege Management vulnerability with CVE-2024-51324 — which the actor disguised using the file name “DriverGay.sys”. This Improper Privilege Management vulnerability exposes a critical function in the driver program that allows unprivileged users to terminate any process on the system at the kernel level. 

The attack began when the actor dropped the loader (using the file name “EDRGay.exe”) and the vulnerable driver into the victim’s Videos folder and ran the loader. The loader, running in user mode, initializes the driver and establishes a connection via the CreateFile() Windows API. It specifies the driver’s real device name (“\.BdApiUtil”) to obtain a handle which essentially acts as a “ticket” to authorize future communication between the loader and the driver. 

Once connected, the loader enumerates running system processes to identify the process ID (PID) of the target antivirus or EDR solution. To trigger the exploit, it calls the DeviceIOControl() function, passing the target PID along with the specific I/O Control Code (IOCTL) 0x800024b4. 

This 32-bit IOCTL value is structured to instruct the driver exactly how to operate: 

• Device Type: 0x8000 
• Access: 0x0 (FILE_ANY_ACCESS) 
• Method: 0x0 (METHOD_BUFFERED) 
• Function Code: 0x92D 

Upon receiving the request, the driver decodes the function code 0x92D as a “terminate process” command. Due to the CVE-2024-51324 vulnerability, the driver fails to validate if the user-mode program has the necessary permissions to make this request. Because the driver operates in kernel mode with the highest system privileges, it blindly accepts the command and executes ZwTerminateProcess(), instantly killing the targeted security service. 

PowerShell script for inhibiting system recovery 

T1548.002 – Bypass User Account Control 

T1490 – Inhibit system recovery  

Talos observed that the threat actor executed a PowerShell script in the victim’s machine before the encryption process. The PowerShell script is a pre-encryption preparation component of the attack that the actor used to bypass the UAC, disable the detection services, and inhibit the system recovery of the victim machine.  

The script implements a privilege escalation mechanism through the Test-Admin function that automatically detects current user permissions and re-launches itself with administrative privileges using the Verb RunAs parameter, ensuring it operates with the necessary system-level access required for service manipulation and shadow copy deletion. This elevation technique bypasses UAC prompts through the exec bypass execution policy override, allowing the script to execute without standard PowerShell security restrictions. 

The main functionality of the script centers around service termination, designed to disable security software, backup systems, and database applications that could affect the ransomware encryption process. It includes an extensive exclusion list of Windows services that must remain operational to maintain basic functionality of the system for ransom payment discussions and processing, including core networking services (Winrm, Dns, Dhcp), authentication mechanisms (Kdc, Netlogon, Lsm), and essential system components (Rpcss, Plugplay, Eventlog).  

The script targets the running services outside the exclusion list, which not only terminates active services but permanently disables their startup configuration to prevent automatic recovery during system reboots.  

The script executes commands to delete all volume shadow copy snapshots, eliminating the victim’s ability to recover the system. It has a self-deletion mechanism that removes the traces of its existence in the victim machine, hindering the forensic analysis efforts.  

Talos found that the threat actor disabled several other commands in the script that are designed to eliminate network shares and terminate system process and services through alternative methods. The network share deletion commands target specific Windows file sharing infrastructure through Windows Management Instrumentation (WMI) queries, removing all standard network shares while preserving administrative and domain controller shares, effectively isolating the infected system from network file sharing capabilities that could be used for lateral movement or data exfiltration activities. Subsequently, there are commands that target print-related shares by removing print$ and prnproc$ administrative shares, disrupting network printing services that could potentially be used as communication channels or recovery mechanisms.  

There are also process termination commands which are designed to directly kill the PIDs associated with the running services that are not on the exclusion list, bypassing standard service shutdown procedures that would trigger alerts before termination.  

Talos spotted a service startup modification command in the script that shows the advanced Windows service management techniques used to permanently alter service startup configurations, ensuring that even after system reboots, targeted services remain disabled. 

We also observed a file-based exclusion technique in the final section of the script where it reads the exclusion service names from an external file “run[.]txt”, indicating the dynamic control of the service exclusion list depending upon the targeted environments.  

Other notable TTPs 

Talos discovered several other notable TTPs of the DeadLock ransomware attacks from the telemetry data. Our assessment revealed that the actor had access to the victim’s network five days prior to the ransomware deployment.   

Initial access and system registry modification  

T1078 – Valid Accounts 

T1112 – Modify Registry 

T1021.001 – Remote Desktop Protocol 

T1562.004 – Disable or Modify System Firewall 

T1569.002 – Service execution 

Talos suspects that the threat actor leverages the compromised valid accounts to gain access to the victim’s machine based on telemetry data. 

Upon gaining the system access, we observed that the threat actor attempted to enable and expose remote access services on the victim machine by using the reg add command to modify the fDenyTSConnections registry value, which directly enables the machine to accept Remote Desktop Protocol (RDP) connections. Then, the actor executed the netsh advfirewall command to create a new inbound firewall rule, opening TCP port 3389 to ensure RDP traffic isn’t blocked. Finally, they used sc config and sc start to change the RemoteRegistry service to on-demand and immediately start it, allowing them to query and modify the system’s registry from another machine for further reconnaissance and configuration modifications. 

reg add HKLMSYSTEMCurrentControlSetControlTerminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f 

netsh advfirewall firewall add rule name=allow RemoteDesktop dir=in protocol=TCP localport=3389 action=allow 

sc config RemoteRegistry start= demand 

Sc start RemoteRegistry 

Remote access for persistent connection 

T1219.002 – Remote Desktop Software 

We assess that the threat actor, operating from a compromised user account, installed a new instance of AnyDesk on a specific host one day prior to an encryption event. This action was likely taken to establish persistent, remote access. 

While other instances of AnyDesk were already present in the environment, this new installation was suspicious. The actor used a specific sequence of commands to silently install the software, configure it to start with Windows, and set up a password for unattended access, while disabling updates that might terminate the actor’s connection to the victim’s machine. 

C:AnyDesk.exe --install C:Program Files (x86)AnyDesk --start-with-win --silent --update-disabled 

C:Program Files (x86)AnyDeskAnyDesk.exe --start-service 

C:Program Files (x86)AnyDeskAnyDesk.exe --set-password 

C:Program Files (x86)AnyDeskAnyDesk.exe --control 

Reconnaissance and lateral movement  

T1018 – Remote System Discovery 

T1069.002 – Domain discovery 

T1033 – System owner / user discovery 

T1046 – Network service discovery 

T1218.014 – System Binary proxy execution: MMC 

T1102 – Web Service 

Talos observed several commands the actor executed for internal reconnaissance and lateral movement within the victim environment following the AnyDesk installation, highlighting their intent to discover and move to high-value targets.  

The actor attempted to discover domain controllers, query the domain structure, and enumerate the privileged groups and their members. They performed a connectivity test using a ping command to see if a target machine was reachable and checked the logged-on user details by executing the Quser command.  

Then, with the discovered internal IP addresses, the actor moved laterally by executing the mstsc command to start the Remote Desktop Protocol (RDP) session. They also executed the mmc.exe compmgmt.msc command, which is an alternative remote computer management command without a full interactive RDP session. Finally, the actor executed iexplore.exe, likely to access an internal web resource.  

Nltest /dclist 

Nltest  

Nltest dclist: DC HOST NAME 

Net local group /domain  

Mstsc.exe /v:   

Ping  

Quser 

iexplore.exe http: INTERNAL IP ADDRESS 

mmc.exe compmgmt.msc /computer: INTERNAL IP ADDRESS 

Impair defenses 

T1562.001 – Disable or Modify tools 

T1218 – System Binary Proxy Execution 

Talos observed that the actor modified the Windows Defender settings using legitimate Windows executable SystemSettingsAdminFlows.exe. By executing the following commands, the actor disabled Real-Time Protection (RTP) in Windows Defender. They subsequently disabled cloud-based protections through the command SpynetReporting 0, which stops the machine from sending threat reports to Microsoft. The command SubmitSamplesConsent 0 prevents Windows Defender from automatically submitting suspicious files for analysis. 

SystemSettingsAdminFlows.exe Defender RTP 1 

SystemSettingsAdminFlows.exe Defender SpynetReporting 0 

SystemSettingsAdminFlows.exe Defender SubmitSamplesConsent 0 

SystemSettingsAdminFlows.exe Defender DisableEnhancedNotifications 1 

DeadLock ransomware 

Talos observed that the threat actor deployed DeadLock ransomware as the payload in their attack. DeadLock ransomware has been active since as early as July 2025 and, unlike other ransomware actors, this threat actor does not operate a data leak site. Instead, victims are persuaded to contact the threat actor operating the DeadLock ransomware via Session messenger. 

The DeadLock ransomware encryptor is specifically designed to target the Windows environment. The encryptor binary was written in C++ and compiled in July 2025, indicating the start time of the threat actor’s operation. 

Upon execution, the DeadLock ransomware immediately drops and executes an embedded batch script (.cmd) in the victim’s “ProgramData” folder. This script functions as a loader, first preparing the system by setting up the console code page to UTF-8 by executing the command chcp 65001. This step ensures that the ransom note can be displayed correctly, even with special or non-English characters. After configuring the environment, the script stealthily launches the main ransomware binary and then deletes itself to remove its tracks. 

The ransomware then uses a process hollowing technique to inject itself into the targeted process rundll32.exe, masquerading as a normal system process in the victim machine. 

Ransomware configuration data 

The DeadLock ransomware relies on a massive 8,888-byte configuration block embedded directly within its binary to dictate its entire operational strategy. Upon execution, the ransomware parses this data using pipe (|) delimiters and loads the structure into memory in the following format: 

[CRYPTO_SEED] | [TIMING] | [PROCESSES] | [SERVICES] | [EXCLUDED_EXTENSIONS] | [EXCLUDED_PATHS] | [CAMPAIGN_ID] | [RANSOM_NOTE] | [HTML_MARKER] | [VISUAL_DATA] 

Talos identified a hardcoded 65-character numeric string within the configuration that serves as the base key for the encryption function:  

10581067105910871088211520721049106420921068109010791065111492178193

This key is coupled with specific timing parameters (1000, 0055242988), which are likely used to implement execution delays and initialize pseudo-random number generation seeds. 

The configuration contains a comprehensive “kill list” designed to disable security controls, remote access tools, and file-locking applications. 

The ransomware terminates standard Windows utilities (e.g., Explorer, PowerShell, Task Manager), alongside specific high-value targets: 

• Remote access: AnyDesk, RustDesk, Microsoft Remote Desktop connection (mstsc). 
• Cloud storage: Dropbox, OneDrive. 
• Security: Antimalware Service (msmpeng), SecurityHealthService, SmartScreen. 

The ransomware targets services to release file handles and disable defenses, specifically: 

• Databases: Microsoft SQL Server (including named instances like MSSQL$VEEAMSQL2012), Sybase SQL Anywhere (dbsrv12), and MySQL (FishbowlMySQL). 
• Backup and recovery: Enterprise solutions including Veeam (VeeamTransportSvc), Veritas Backup Exec, Acronis, CA Arcserve, and Carbonite. 
• Security suites: Endpoint protection components from Symantec/Norton (ccEvtMgr, RTVscan), McAfee (MVArmor), and 360 Security defender (zhudongfangyu). 
• Business applications: Intuit QuickBooks, Microsoft Exchange, Apache Tomcat, and VMware tools (vmware-usbarbitator6s4). 

To ensure the OS remains stable enough for the victim to pay the ransom, the configuration enforces strict exclusion lists: 

• Critical folders: $recycle.bin, Program Files, ProgramData, Windows, and System Volume Information. 
• File extensions: A vast list of executables, drivers, and system files, including .exe, .dll, .sys, .msi, .lnk, and .boot. 
• Critical files: Boot loaders and system configuration files, such as bootmgr, ntldr, ntuser.dat, and desktop.ini. 

The configuration block also stores the full plaintext ransom note along with an HTML marker (<!doctype html>) indicates the ransomware is also capable of generating an HTML version of the note. Additionally, Talos observed a unique 64-character, SHA256-like hash value which likely serves as a specific campaign identifier or infection marker. 

DeadLock ransomware encryption process 

The Deadlock ransomware encryption operation is a sophisticated approach which includes recursive directory traversal, memory-mapped file I/O, custom stream cipher implementation, and multi-threaded processing to efficiently encrypt entire file systems while avoiding detections through custom cryptographic implementations rather than standard Windows cryptographic APIs.  

The encryption orchestration function begins its operation with the recursive directory traversal to enumerate all accessible files on the target system while applying the exclusion filters from the parsed configuration data. 

Then the encryption orchestration function executes another key generation function that relies on time-based seeding from system timers through the function GetSystemTimeAsFileTime along with complex mathematical operations producing 8-byte pseudo-random encryption key streams. 

Finally, it executes the core encryption function which first performs a UTF-8 validation check on the file’s content and processes file data in 16-byte blocks. For each byte it applies to the stream cipher using the generated pseudo-random key stream, ultimately encrypting the file data in the memory and writing the encrypted result back to the filesystem.  Then the ransomware renames the encrypted file by appending the hexadecimal identifier and the file extension “.dlock” to the encrypted files. 

To evade the automated sandbox analysis, the ransomware executes a delay function, which implements a 50-second delay before it initiates the encryption action. 

During its execution, the DeadLock ransomware drops an icon file, Windows batch script, and a bitmap image file in the ProgramData folder of the victim machine.  

Talos observed that the ransomware replaces the icon of encrypted files with a custom icon file by configuring the path of the dropped icon file to the file extension .dlock in the “DefaultIcon” registry key of the victim machine Software registry hive.  

After encryption, the actor also changed the victim machine’s desktop wallpaper to a custom wallpaper and disabled the command line utilities in the victim machine.  

The ransomware drops the ransom note in each of the folders in the victim machine where the targeted files have been encrypted. 

The DeadLock ransom note displays an alarming claim of “military-grade encryption” followed by a six-step recovery process. The ransom note also describes the acceptance of ransom payment in Bitcoin or Monero and indicates warnings against file renaming or third-party decryption attempts. The personal identifier “READ ME.hex_identifier.txt” at the end of the ransom note is likely a victim identification marker. 

The threat actor employs the Session messenger as their primary communication platform, leveraging its end-to-end encryption and anonymity features to evade law enforcement surveillance while maintaining victim contact through the session ID. 

Coverage 

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please  contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort SIDs for the threats are:  65576, 65575 and 301358.

ClamAV detections are also available for this threat: 

• Win.Tool.EDRKiller-10058432-0 
• Win.Tool.VulnBaiduDriver-10058431-1 
• Ps.Tool.DeleteShadowCopies-10058429-0 
• Win.Ransomware.Deadlock-10058428-0 

Indicators of compromise (IOCs) 

The IOCs can also be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More