New BATLOADER campaign leverages generative AI ads for RedLine stealer delivery

RedLine stealer has been distributed in a new BATLOADER campaign exploiting Google Search advertisements for the ChatGPT and Midjourney generative AI services, reports The Hacker News. Attackers have been leveraging keywords on Google that would show fraudulent ads that would redirect to webpages facilitating the installation of ChatGPT or Midjourney executables along with a PowerShell script enabling RedLine stealer downloads, while detection of malicious activity after installation is averted by the binary's use of Microsoft Edge WebView2 that would allow the loading of legitimate ChatGPT and Midjourney URLs, a report from eSentire revealed. BATLOADER was previously reported by eSentire to have been used in a campaign with ChatGPt lures for Vidar Stealer and Ursnif malware distribution, while Sophos recently noted the emergence of ChatGPT-related fleeceware apps in the legitimate Google and Apple app stores. Moreover, monthly ChatGPT-related domain registrations has been noted by Palo Alto Networks' Unit 42 to have increased by 910% from November 2022 to early April 2023.