{ "id": "35d5a81e-b35e-42f7-bf73-0a6c22f5a100", "created_at": "2026-04-06T00:13:35.778905Z", "updated_at": "2026-04-10T03:35:52.8907Z", "deleted_at": null, "sha1_hash": "9958dcfe79c7dcfa9657bf6710ac6433077bb4fa", "title": "FIN7 hosting honeypot domains with malicious AI Generators – New Silent Push research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2115499, "plain_text": "FIN7 hosting honeypot domains with malicious AI Generators –\r\nNew Silent Push research\r\nBy Silent Push Threat Team\r\nPublished: 2024-10-02 · Archived: 2026-04-05 20:06:38 UTC\r\nTable of contents\r\nKey findings\r\nExecutive summary\r\nBackground\r\nInitial findings\r\nNetSupport RAT\r\nFIN7 malware: NetSupport RAT analysis\r\nFIN7 AI deepfake honeypots\r\nFIN7 “free download” honeypots\r\nFIN7 “free trial” honeypots\r\nFIN7 using SEO tactics to spread honeypots\r\nFIN7 AI Deepfake malware analysis\r\nAdditional information\r\nMitigating FIN7 activity\r\nRegister for Community Edition\r\nKey findings\r\nSilent Push research indicates FIN7 threat actors are using a new AI adult-based generator, on at least\r\nseven different websites.\r\nWe observed FIN7 using two versions of the AI deepnude malware honeypots: one that requires a simple\r\ndownload and the other that has a sophisticated “free trial” process.\r\nSilent Push is also tracking the FIN7 NetSupport RAT malvertising campaign, which continues to use a\r\ndifferent honeypot with “Browser extension required” pop-up lures that lead to .MSIX malware. \r\nPrevious Silent Push research identified thousands of FIN7 domains used in spear-phishing emails,\r\nphishing kits, and malware campaigns.\r\nExecutive summary\r\nSilent Push Threat Analysts have observed the FIN7 group (aka Sangria Tempest) using new tactics in their\r\nmalware and phishing attacks. We found that FIN7 has created at least seven websites serving malware to visitors\r\nlooking to use an AI adult-based generator. The threat group is also continuing to use browser extension\r\nhoneypots, previously written about by Silent Push.\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 1 of 19\n\nOrganizations may become vulnerable as FIN7 lures unsuspecting employees to download malicious files. These\r\nfiles may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy\r\nransomware.\r\nBackground\r\nFIN7 is a financially motivated threat group with ties to Russia. It has been associated with sophisticated cyber\r\nattacks since at least 2013. The group targets a broad spectrum of industries, from retail and tech to financial,\r\nmedia, utilities, and more. In 2024, FIN7 expanded its reach to target global brands.\r\nIn July 2024, Silent Push unearthed 4,000+ IOFA domains and IPs, the largest group of FIN7 domains ever\r\ndiscovered and a figure that we have since more than doubled for our Enterprise customers. Attacks seen by the\r\ngroup were massive global phishing and malware campaigns.\r\nFollowing the recent Silent Push FIN7 blog post with the accompanying TLP Amber report (exclusive for\r\nEnterprise users), our new research reveals the group’s use of an AI adult-based generator with multiple\r\nhoneypots.\r\nInitial findings\r\nIn planning its attacks, FIN7 casts a wide net, targeting individuals and a wide range of industries to lure its\r\nvictims. Silent Push Threat Analysts have been tracking FIN7’s new attack methodology.\r\nOur use of “honeypots” in this post refers specifically to the technical minefields that have carefully crafted lures\r\nused by bad actors to bait their unsuspecting victims, as opposed to traditional decoys and detection mechanisms.\r\nSilent Push research has revealed that FIN7’s current attack strategy uses different honeypots: AI adult-based\r\ngenerator malware and a continuing NetSupport remote access Trojan (RAT).\r\nNetSupport RAT\r\nFIN7’s NetSupport RAT malware is served to visitors of specific honeypots—mostly websites promoted via FIN7\r\nmalvertising search campaigns, such as the “Requires Browser Extension” installation scheme.\r\nFin7 has been launching malvertising attacks that attempt to deliver .MSIX malware. Silent Push analysts picked\r\nup campaigns targeting a variety of brands, including SAP Concur, Microsoft, Thomson Reuters, and FINVIZ\r\nstock screening.\r\nFIN7 still has active IPs—and likely new websites—that are pushing the required browser extension ploy. For\r\nexample, here’s a live IP hosting an SAP Concur phishing page: https://85.209.134[.]137\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 2 of 19\n\nExample of FIN7 live IP hosting an SAP Concur phishing page\nOrganizations compromised with the .MSIX browser extension can be targeted with ransomware since the\nmalware looks for “workgroup computers.”\nFIN7 malware: NetSupport RAT analysis\nAfter Silent Push retrieved a sample of Fin7’s malware, in this case involving “LexisNexis.msix,” our team of\nanalysts took a closer look at its operations to provide the following analysis:\nType: Zip archive file\nMD5: ff25441b7631d64afefdb818cfcceec7\nCompression: Deflate\nTo masquerade as a trusted executable, the malware has appropriated certificate data from what appears to\nbe a Chinese manufacturing company, “Cangzhou Chenyue Electronic Technology”\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\nPage 3 of 19\n\nExample of FIN7 malware with “LexisNexis.msix“\r\nNetSupport RAT delivery chain\r\nAnalyzing the attack chain, we see that the malware is clearly designed to target domain-joined machines and all\r\nthe corporate data they offer. From there, the malware seeks to obtain elevated privileges, including lateral\r\nmovement and access to Active Directory.\r\nThe attack starts when the script opens the LexisNexis website, either as a distraction or to mimic\r\nlegitimate user activity.\r\nThe malware then checks to see if the machine is part of a domain or in a workgroup.\r\nIf the machine is in a workgroup, the script extracts two encrypted 7-Zip archives (password: 1234567890)\r\nand runs an executable NetSupport RAT.\r\nExample of FIN7 NetSupport RAT LexisNexis analysis\r\nThe extracted package includes:\r\nType: Remote Access Trojan\r\nName: NetSupport RAT\r\nC2 infrastructure: 166.88.159[.]37\r\nLicensee: MGJFFRT466\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 4 of 19\n\nFIN7 AI deepfake honeypots\r\nThe second FIN7 attack tactic is more sophisticated – it uses the adult-themed AI Deepnude generator websites\r\nthat serve malware to unsuspecting visitors.\r\nSilent Push research indicates the malware used in this campaign uses classic information stealers, which acquire\r\ncookies, passwords, and other details to potentially attack corporate targets. We determined that FIN7 AI malware\r\nuses Redline Stealer and D3F@ck Loader.\r\nFIN7 is hosting multiple honeypots of malware under the brand “aiNude[.]ai” in addition to:\r\neasynude[.]website\r\nai-nude[.]cloud\r\nai-nude[.]click\r\nai-nude[.]pro\r\nnude-ai[.]pro\r\nai-nude[.]adult\r\nainude[.]site\r\nAfter discovering these sites, Silent Push Researchers supported escalations to get them taken down. All of the\r\nsites are currently offline, but we believe it’s likely new sites will be launched that follow similar patterns.\r\nOur team found AI Deepfake honeypots are built atop “shell websites” used by FIN7 for aging domains (sites later\r\nmodified to deploy malware or execute malicious campaigns). These files and pages expose the original shell\r\ncontent:\r\n/ReturnPolicy.html\r\n/personal-data.html\r\n/membership-terms.html\r\n/cookie-usage.html\r\n/contentDisclaimer.html\r\n/deliveryDetails.html\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 5 of 19\n\nExample of easynude[.]website “return Policy”\r\nExample of ai-nude[.]click “data Protection” page\r\nThe AI Deepfake Honeypots include JavaScript from the Facebook Audience Network and Yandex Analytics.\r\nSilent Push research has not discovered any Facebook ads – yet.\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 6 of 19\n\nExample of FIN7 deepfake honeypot\r\nFIN7 has been creating two versions of the honeypot websites. The first involves an AI adult-based generator\r\n“free download,” and the second offers site visitors a “free trial.”\r\naiNude[.]ai Deepnude Generator click “free download” honeypot\r\nFIN7 “free download” honeypots\r\nMalware employed in this honeypot is behind a simple user flow that attempts to get a user to download the initial\r\nmalicious payload.\r\nFIN7 AI deepfake honeypots redirect unsuspecting users who click on the “free download” offer to a new domain\r\nfeaturing a Dropbox link or another source hosting a malicious payload. By querying the Silent Push Web\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 7 of 19\n\nScanner, hundreds of these “File is ready for download…” websites have been found. While we haven’t\r\ndefinitively determined that all of these are used by FIN7 exclusively, they appear to be malicious and likely part\r\nof similar user flows.\r\nStep 1 asks the user to click on the “Free Download” link, and step 2 requests that they download from a link\r\nhosted on the trial-uploader[.]store, which links to a Dropbox payload.\r\nStep 2: File is ready to download\r\nFIN7 “free trial” honeypots\r\nThe AI Deepfake Honeypots have a unique version on domains like ai-nude[.]pro, which has a “Free trial” link on\r\nthe homepage.\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 8 of 19\n\naiNude[.]ai Deepnude Generator click “free trial” offering honeypot\r\nIf a site visitor clicks the “Free Trial” button, the user is prompted to upload an image.\r\nIf an image is uploaded, the user is next prompted with a “Trial is ready for download” message saying, “Access\r\nscientific materials for personal use only.” A corresponding pop-up requires the user to answer the question, “The\r\nlink is for personal use only, do you agree?” \r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 9 of 19\n\n“Trial is ready for download” pop-up appears\r\nIf the user agrees and clicks “Download” they are served a zip file with a malicious payload. This other FIN7\r\npayload is a more classic “Lumma Stealer” and uses a DLL side-loading technique for execution.\r\nOn clicking download, a zip file appears\r\nFIN7 using SEO tactics to spread honeypots\r\nAll FIN7 AI deepfake honeypots contain a footer link for “Best Porn Sites,” which redirects users to\r\naipornsites[.]ai – a website that promotes the domain “ainude[.]ai” – that is currently down – but appears to be the\r\nsame website template used on the FIN7 honeypots. \r\nFIN7 AI deepfake honeypot footer link for “Best Porn Sites”\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 10 of 19\n\nFIN7 AI deepfake honeypot footers redirect to aiNude[.]ai\r\nGiven this, it is likely FIN7 may be using SEO tactics to get their honeypots ranked higher in search results.\r\nFIN7 AI Deepfake malware analysis\r\nSilent Push Threat Analysts discovered the DeepNude Generator .EXE is available for download directly from the\r\nhomepage of some FIN7 sites. This malware employs sophisticated techniques, including multiple packers,\r\nembedding malware in Pascal code, and leveraging Java-based launchers to evade detection.\r\nThe Deepnude Generator .EXE uses “Inno Setup” for the initial payload packing.\r\nInnoSetup has an embedded Pascal interpreter that parses and interprets the Pascal code to provide instructions for\r\nthe installer. Additionally, the PE-ID packer detector verifies the embedded library but falsely detects the packer as\r\nBorland Delphi.\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 11 of 19\n\nThe embedded library is verified but falsely detected\r\nSome of the features being used within this initial “Inno Setup” payload include: \r\nConnects to remote servers\r\nHeavy string obfuscation\r\nVirtual environment detections\r\nExecution control\r\n“Inno Setup” features\r\nThe “Inno Setup” strings are encoded using a custom algorithm.\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 12 of 19\n\nInno Setup strings are encoded using a custom algorithm\r\nExample of Inno Setup strings execution flow\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 13 of 19\n\nExtracting all encoded strings from the code and decoding them using Python gives us a clear picture of the\r\nexecution flow.\r\nExecution flow includes a string for a SteamCommunity[.]com profile.\r\nExample of execution flow\r\nThis feature looks for a substring with “v_10:= ‘i1il’;” This is used as a placeholder for getting the c2. The Steam\r\nUsername includes a Hetzner-hosted IP address “49.12.117[.]119”\r\nThe Steam Username includes a Hetzner-hosted IP address\r\nSearching Steam for profiles that include “i1il” uncovers other likely C2s from this network:\r\n78.47.105[.]28 – Hetzner\r\n159.69.26[.]61 – Hetzner\r\nPrevious C2’s / Steam profiles found during the research include:\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 14 of 19\n\n116.203.15[.]73 – Hetzner\r\n116.203.8[.]165 – Hetzner\r\n116.202.0[.]236 – Hetzner\r\n116.202.5[.]195 – Hetzner\r\n78.47.105[.]28 – Hetzner\r\n78.46.129[.]163 – Hetzner\r\n88.198.89[.]4 – Hetzner\r\n5.75.232[.]183 – Hetzner\r\nExample of Steam search\r\nThe secondary payload was 78.47.101[.]48/manual/225/225.zip. The 225.zip file consists of the Java Virtual\r\nMachine and an EXE file, which is written in Launch4j.\r\nLaunch4j is an open-source tool designed to wrap Java applications (JAR files) into native Windows executables\r\n(EXE files).\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 15 of 19\n\n225.exe was FIRST detected as D3F@ck Loader by @RussianPanda9xx\r\nThis FIN7 malware campaign appears to have used an additional payload. The initial secondary payload found on\r\nVirusTotal was 170.exe – 7e5d91f73e89a997a7caa6b111bbd0f9788aa707ebf6b7cbe2ad2c01dffdc15d, which\r\nwas a Redline credential stealer malware, with the following configuration:\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 16 of 19\n\nThe FIN7 campaign related to D3F@ck Loader started on August 5, 2024, according to VirusTotal upload dates.\r\nThe spoofed applications they have targeted include: \r\nPuTTY\r\nRazer Gaming\r\nFortinet VPN\r\nA Fortnite Video Game Cheat\r\nZoom\r\nCannon\r\nSeveral other generic applications\r\nThe malware found on one of the “Deepnude AI generator” websites connects to a campaign that has targeted\r\nseveral brands. Interestingly, a malware-infected “Fortnite cheat” also appears to be part of the campaign.\r\nExample of spoofed applications targeted\r\nThis other FIN7 payload is a more classic “Lumma Stealer” that executes using a DLL side-loading technique.\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 17 of 19\n\nThis malware was found to be using two C2s:\r\npang-scrooge-carnage[.]shop\r\nthesiszppdsmi[.]shop\r\nAdditional information\r\nSilent Push will continue to track FIN7 activity and report our findings to the community.\r\nSome of the information in this public blog has been omitted for operational security.\r\nWe’ve also published a TLP Amber report for Enterprise users that contains links to the specific queries,\r\nlookups, and scans we’ve used to identify and traverse FIN7 infrastructure—including proprietary parameters that\r\nwe’ve omitted from this blog for operational security reasons.\r\nMitigating FIN7 activity\r\nFrom our initial post, Silent Push Researchers have seen a drastic increase in the number of IOFAs—more than\r\ndouble for our enterprise customers. We’ve grouped together FIN7 domains and IPs into two dedicated IOFA\r\nFeeds.\r\nSilent Push Enterprise users can ingest this data into their security stack, allowing them to block FIN7\r\ninfrastructure at its source.\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 18 of 19\n\nData is available for export in CSV, JSON, or STIX format or as an automated code snippet using the Silent Push\r\nAPI.\r\nSilent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of advanced\r\noffensive and defensive lookups, web content queries, and enriched data types that we used to track FIN7.\r\nSource: https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nhttps://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/\r\nPage 19 of 19\n\n https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/ \nInno Setup strings are encoded using a custom algorithm\nExample of Inno Setup strings execution flow \n Page 13 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/" ], "report_names": [ "fin7-malware-deepfake-ai-honeypot" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434415, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9958dcfe79c7dcfa9657bf6710ac6433077bb4fa.pdf", "text": "https://archive.orkl.eu/9958dcfe79c7dcfa9657bf6710ac6433077bb4fa.txt", "img": "https://archive.orkl.eu/9958dcfe79c7dcfa9657bf6710ac6433077bb4fa.jpg" } }