AI-Powered Web Tools Turned Malicious – Hackers Sneak Malware into Sites

Cybercriminals are exploiting artificial intelligence-powered website builders to create sophisticated phishing campaigns and malware distribution networks, according to new research from Proofpoint.

The security firm has identified tens of thousands of malicious URLs hosted on Lovable, an AI-driven platform that allows users to create websites through simple text prompts.

Lovable, a user-friendly application that automatically generates websites from natural language descriptions, has become a preferred tool for threat actors seeking to lower their technical barriers.

The platform offers free hosting on lovable[.]The app offers domain management and allows users to create up to five websites daily without programming knowledge.

However, this accessibility has made it attractive to cybercriminals who can now produce professional-looking phishing sites within minutes.

Sophisticated Attack Campaigns Emerge

Proofpoint researchers documented several major campaigns leveraging Lovable’s infrastructure. In February 2025, a massive credential phishing operation impacted over 5,000 organizations through hundreds of thousands of malicious emails.

The attack chain utilized file-sharing themes, directing victims to mathematics CAPTCHA before redirecting them to counterfeit Microsoft authentication pages designed to harvest credentials and multifactor authentication tokens.

The campaigns employed the Tycoon Phishing-as-a-Service platform, implementing Adversary-in-the-Middle techniques to capture session cookies and bypass security measures.

Subsequent attacks in June masqueraded as human resources departments, targeting employee benefits credentials with similar technical approaches.

Financial fraud operations have also flourished on the platform. A UPS impersonation campaign in June 2025 targeted nearly 3,500 victims, collecting personal information and credit card details through sophisticated forms that automatically forwarded stolen data to Telegram channels.

The malicious “ups-flow-harvester” project became publicly available for other criminals to replicate and modify through simple chat prompts.

Cryptocurrency and Malware Distribution

Cryptocurrency-focused attacks represent another significant threat vector. Criminals have created convincing replicas of decentralized finance platforms like Aave, targeting crypto wallet credentials in campaigns reaching nearly 10,000 recipients.

These operations typically employ multi-stage redirects through legitimate services like SendGrid before ultimately attempting to drain connected cryptocurrency wallets.

More concerning, researchers identified German-language malware distribution campaigns using Lovable as a delivery mechanism.

These operations distributed zgRAT malware through trojanized legitimate software, demonstrating how AI-generated sites can facilitate advanced persistent threats beyond simple credential theft.

Following Proofpoint’s disclosure, Lovable implemented real-time detection systems in July 2025 to prevent malicious website creation and introduced automated daily scanning for fraudulent projects.

The company also plans additional security measures this fall, targeting user account verification and proactive threat actor blocking.

The research highlights growing concerns about AI tool abuse in cybercrime, as automated generation capabilities significantly reduce the technical skills required for creating convincing social engineering content.

Organizations should consider implementing allow-listing policies for frequently abused AI-powered platforms while security vendors continue monitoring these emerging threat vectors.

Indicators of compromise