An activity known as Gipy, disguised as AI voice-changing apps, has emerged as a newly discovered campaign for distributing information-stealing malware.
Targeting users in Germany, Russia, Spain, and Taiwan, the campaign uses phishing lures promising AI voice modification applications.
According to researchers at Kaspersky, Gipy malware first appeared in early 2023 and, once delivered, allows threat actors to steal data, mine cryptocurrencies, and install additional malicious software on victims’ systems. The threat actors leverage legitimate AI voice modification apps as bait to lure victims.
Kaspersky’s team adds that once users install the application, it functions as promised, while Gipy malware operates silently in the background. Upon execution, Gipy subsequently launches password-protected malicious software from GitHub.
In their investigation of this activity, experts analyzed over 200 such files. Most files on GitHub contained the notorious Lumma password stealer.
In an email statement, Kaspersky stated that experts also discovered Apocalypse ClipBanker, an enhanced Corona cryptocurrency malware, along with several remote access tools (RATs) such as DCRat and RADXRat. Additionally, they found password stealers like RedLine and RisePro, a credential stealer named Loli, and a Goran backdoor named TrueClient.
