bleepingcomputer[.]com/news/security/fake-ai-video-generators-infect-windows-macos-with-infostealers/
Over the past month, threat actors have created fake websites that impersonate an AI video and image editor called EditPro.As discovered by cybersecurity researcher g0njxa, the sites are promoted through search results and advertisements on X that share deepfake political videos, such as President Biden and Trump enjoying ice cream together.
Clicking the images brings you to fake websites for the EditProAI application, with editproai[.]pro created to push Windows malware and editproai[.]org to push macOS malware.
The sites are professional-looking and even contain the ubiquitous cookie banner, making them look and feel legitimate.
However, clicking the "Get Now" links will download an executable pretending to be the EditProAI application. For Windows users, the file is called "Edit-ProAI-Setup-newest_release.exe" [VirusTotal] and for macOS, it is named "EditProAi_v.4.36.dmg" [VirusTotal].
The Windows malware is signed by what appears to be a stolen code signing certificate from Softwareok.com, a freeware utility developer.
G0njxa says that malware uses a panel at "proai[.]club/panelgood/" to send stolen data, which can then be retrieved at a later time by the threat actors.
An AnyRun report shows the execution of the Windows variant, with the sandbox service detecting the malware as Lumma Stealer.
If you have downloaded this program in the past, you should consider all of your saved passwords, cryptocurrency wallets, and authentications compromised and immediately reset them with unique passwords at every site you visit.