AI-Enabled Phishing and Malware Delivery Trends
Security researchers and industry commentary describe a broader rise in AI-assisted cybercrime, with attackers using generative AI to improve phishing lures, clone legitimate login pages, and scale social-engineering operations. Reporting highlights that phishing remains a leading initial access vector, while phishing-as-a-service and AI-generated content are making campaigns more convincing and easier to produce at volume. IBM similarly warns that AI is acting as a force multiplier for attackers, lowering the cost of malware development and enabling more disposable, harder-to-attribute malicious tooling.
Kaspersky documented active campaigns in which threat actors used Google Search ads and fake documentation pages to distribute the AMOS infostealer on macOS and Amatera on Windows, disguising the malware as popular AI tools including OpenClaw, Claude Code, and Doubao. By contrast, ZDNET's article focuses on the business and product-security shortcomings of Moltbook and OpenClaw acquisitions rather than a specific threat campaign, making it adjacent but not part of the same security event. The material overall is not fluff because it includes substantive threat reporting and technical security analysis, even though the references describe related developments rather than one discrete incident.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Kaspersky discloses fake AI agent malware campaign details
On March 12, 2026, Kaspersky published details of a campaign abusing interest in AI assistants such as Claude Code, Doubao, and OpenClaw to spread infostealers. The report said the activity had been seen in countries including Romania and Brazil and noted exfiltration of browser data, crypto-wallet information, and user files to remote infrastructure.
Malvertising campaign uses fake AI tool pages to deliver AMOS and Amatera
In early March 2026, attackers were observed buying Google Search ads for terms such as "Claude Code download" and directing users to fake AI tool documentation pages. The pages used a ClickFix-style social engineering flow to trick victims into running commands that installed AMOS on macOS or Amatera on Windows.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Foiling modern phishing across the attack chain | perspective | SC Media
scworld.com
Open sourceAMOS and Amatera disguised as AI agents | Kaspersky official blog
kaspersky.com
Open sourceA Slopoly start to AI-enhanced ransomware attacks | IBM
ibm.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI and Open-Source Ecosystem Abused for Malware Delivery and Agent Manipulation
Multiple reports describe threat actors abusing *AI-adjacent* and open-source distribution channels to deliver malware or manipulate automated agents. Straiker STAR Labs reported a **SmartLoader** campaign that trojanized a legitimate-looking **Model Context Protocol (MCP)** server tied to *Oura* by cloning the project, fabricating GitHub credibility (fake forks/contributors), and getting the poisoned server listed in MCP registries; the payload ultimately deployed **StealC** to steal credentials and crypto-wallet data. Separately, researchers observed attackers using trusted platforms and SaaS reputations for delivery and monetization: a fake Android “antivirus” (*TrustBastion*) was hosted via **Hugging Face** repositories to distribute banking/credential-stealing malware, and Trend Micro documented spam/phishing that abused **Atlassian Jira Cloud** email reputation and **Keitaro TDS** redirects to funnel targets (including government/corporate users across multiple language groups) into investment scams and online casinos. In parallel, research highlights emerging risks where **AI agents and AI-enabled workflows become the target or the transport layer**. Check Point demonstrated “**AI as a proxy**,” where web-enabled assistants (e.g., *Grok*, *Microsoft Copilot*) can be coerced into acting as covert **C2 relays**, blending attacker traffic into commonly allowed enterprise destinations, and outlined a trajectory toward prompt-driven, adaptive malware behavior. OpenClaw featured in two distinct security developments: an OpenClaw advisory described a **log-poisoning / indirect prompt-injection** weakness (unsanitized WebSocket headers written to logs that may later be ingested as trusted context), while Hudson Rock reported an infostealer incident that exfiltrated sensitive **OpenClaw configuration artifacts** (e.g., `openclaw.json` tokens, `device.json` keys, and “memory/soul” files), signaling that infostealer operators are beginning to harvest AI-agent identities and automation secrets in addition to browser credentials.
Mar 21, 2026
Criminal AI Services Accelerate Phishing, Fraud, and Malware Evasion
Underground operators are increasingly packaging generative AI into **criminal AI-as-a-service** offerings that support phishing, fraud, impersonation, malware modification, translation, and post-breach data analysis. Reporting on the market describes branded tools such as **FraudGPT**, **GhostGPT**, and **WormGPT**, but says many are little more than wrappers around legitimate models, stolen accounts, or hijacked API keys rather than fully autonomous hacking platforms. Researchers also highlighted a parallel market for deepfake-enabled abuse, including voice cloning, face swaps, fake selfies, and virtual camera injection used for KYC bypass, synthetic identity fraud, and onboarding scams. Sophos separately identified a malware development lab using AI tools including **Cursor** and **Claude Opus** to speed ransomware-related coding, payload refinement, and evasion testing. The framework reportedly generated Python-driven Rust and Go malware modules, customized **Cobalt Strike** profiles, Telegram-based command channels, Cloudflare Worker intermediaries for command-and-control traffic, code-injection scripts targeting legitimate Windows applications, and AI-assisted Active Directory reconnaissance. Researchers said the operation tested nearly 80 modules against more than 70 evasion methods across Sophos, CrowdStrike, and Microsoft defenses, reinforcing that the immediate risk is not autonomous AI malware but faster, cheaper, and more scalable attacker workflows.
Jun 18, 2026
Attackers weaponize AI brands to spread phishing and malware
Microsoft Threat Intelligence reported that threat actors are exploiting the popularity of AI platforms including **ChatGPT**, **Claude**, **DeepSeek**, and **Flux Pro AI** to drive phishing, malvertising, and malware delivery rather than compromising the vendors themselves. One ChatGPT-themed campaign, aimed largely at South African users, used payment-update emails and redirect chains through legitimate services to a compromised site that harvested personal and credit card data. A separate Claude-themed operation targeted more than 2,000 organizations and likely used adversary-in-the-middle techniques to steal Microsoft sign-in credentials and authentication tokens. Microsoft also linked large-scale AI-themed malvertising to **Storm-3075**, which pushed fake AI plugin downloads and delivered malware including **Vidar Stealer**, **Lumma Stealer**, **Hijack Loader**, and **Oyster**, with parts of the chain tied to **Fox Tempest** malware-signing services. In another case, attackers created a fake **DeepSeek V4** GitHub repository within hours of the model’s launch, using copied benchmark data, official-looking branding, SEO tactics, and rotating payloads to distribute **Vidar** and **GhostSocks** malware before GitHub removed the infrastructure. Microsoft said it revoked certificates, disrupted Fox Tempest infrastructure with partners, and coordinated takedowns, while urging defenders to strengthen MFA, conditional access, browser protections, and endpoint and email defenses.
Jun 18, 2026