{"id":51873,"date":"2023-05-12T00:00:00","date_gmt":"2023-05-12T00:00:00","guid":{"rendered":"urn:uuid:c7ebb94b-eef0-486a-a964-44852508dd80"},"modified":"2023-05-12T00:00:00","modified_gmt":"2023-05-12T00:00:00","slug":"malicious-ai-tool-ads-used-to-deliver-redline-stealer","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/","title":{"rendered":"Malicious AI Tool Ads Used to Deliver Redline Stealer"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/ai-redlin-cover.png\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We\u2019ve been observing malicious advertisement campaigns in Google\u2019s search engine with themes that are related to AI tools such as Midjourney and ChatGPT.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,endpoints,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-05-12\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.html\"> <title>Malicious AI Tool Ads Used to Deliver Redline Stealer<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.html\"><br \/>\n<meta property=\"og:title\" content=\"Malicious AI Tool Ads Used to Deliver Redline Stealer\"><br \/>\n<meta property=\"og:description\" content=\"We\u2019ve been observing malicious advertisement campaigns in Google\u2019s search engine with themes that are related to AI tools such as Midjourney and ChatGPT.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/ai-redlin-cover.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Malicious AI Tool Ads Used to Deliver Redline Stealer\"><br \/>\n<meta name=\"twitter:description\" content=\"We\u2019ve been observing malicious advertisement campaigns in Google\u2019s search engine with themes that are related to AI tools such as Midjourney and ChatGPT.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/ai-redlin-cover.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.387989861571\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"499170370\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.7631578947368\">\n<div class=\"article-details\" role=\"heading\" readability=\"34.934210526316\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We\u2019ve been observing malicious advertisement campaigns in Google\u2019s search engine with themes that are related to AI tools such as Midjourney and ChatGPT.<\/p>\n<p class=\"article-details__author-by\">By: Junestherry Dela Cruz <time class=\"article-details__date\">May 12, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"33.227134146341\">\n<div readability=\"14.975609756098\">\n<p>The rising popularity of artificial intelligence (AI) tools such as ChatGPT has made them <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/review-what-gpt-3-taught-chatgpt-in-a-year.html\">attractive targets<\/a> for threat actors who are now exploiting them as social engineering ploys to entice victims into downloading malware droppers that ultimately result in the deployment of stealers like Vidar and Redline.<\/p>\n<p>Recently, we\u2019ve been observing malicious advertisement campaigns in Google\u2019s search engine with themes that are related to AI tools. Figure 1 shows some examples of malicious ads served when a user searches for the keyword &#8220;midjourney&#8221; in Google (note that <a href=\"https:\/\/www.midjourney.com\/home\/?callbackUrl=%2Fapp%2F\">Midjourney is an AI tool<\/a> that generates images from natural language descriptions).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"cbb50e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline1.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline1.png\" alt=\"Figure 1. Malicious ads that appear on the search results page when using the keyword \u201cmidjourney\u201d\"> <\/a> <\/figure>\n<\/p><\/div>\n<div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"317a18\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline1b.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline1b.png\" alt=\"Figure 1. Malicious ads that appear on the search results page when using the keyword \u201cmidjourney\u201d\"> <\/a><figcaption>Figure 1. Malicious ads that appear on the search results page when using the keyword \u201cmidjourney\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>When a user clicks on these sponsored ads, the user&#8217;s IP address is sent to a backend server, after which a malicious webpage (shown in Figure 2) is served to the user.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"e6b80a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline2.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline2.png\" alt=\"Figure 2. Clicking on a sponsored ad takes the user to a malicious website\"> <\/a><figcaption>Figure 2. Clicking on a sponsored ad takes the user to a malicious website<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>For some of these malicious advertisements, the backend server can filter bots that are visiting the malicious domain to minimize detection. If the IP address visiting these Midjourney-themed URLs is either blocked (typically bots that constantly access the webpages) or visiting it directly by manually typing the URL (that is, not through the Google ads redirector), the server will display a non-malicious version of the domain.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d17b01\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline3.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline3.png\" alt=\"Figure 3. A non-malicious domain shown when a visiting IP address is blocked or accesses the webpage directly via manual input\"> <\/a><figcaption>Figure 3. A non-malicious domain shown when a visiting IP address is blocked or accesses the webpage directly via manual input<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>This campaign abuses Telegram&#8217;s API to communicate with its command-and-control (C&amp;C) server. This acts as an evasion technique that allows network communication with the C&amp;C server to blend in with normal traffic, therefore helping it avoid network detection.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"9d554f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline4.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline4.png\" alt=\"Figure 4. Abusing Telegram API to communicate with the C&amp;C server\"> <\/a><figcaption>Figure 4. Abusing Telegram API to communicate with the C&amp;C server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>When a victim executes the downloaded installer (<i>Midjourney-x64.msix<\/i>), it will display a fake installation window while the malicious PowerShell download process continues to run in the background. Note that there is no desktop version of Midjourney, so this in itself should already be a red flag for users.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"f1c4d3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline5.png\" alt=\"Figure 5. Fake Midjourney installation\"> <\/a><figcaption>Figure 5. Fake Midjourney installation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Figure 6 shows the campaign\u2019s infection chain leading to the PowerShell execution of the script as seen from the Trend Vision One\u2122 console. Trend Micro can proactively block this malicious process from executing via its Behavior Monitoring Solution.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d02b8d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline6.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline6.png\" alt=\"Figure 6. Infection chain as seen from the Vision One console\"> <\/a><figcaption>Figure 6. Infection chain as seen from the Vision One console<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.64\">\n<div readability=\"12.48\">\n<p>In this particular campaign, victims are eventually led to a <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/managed-xdr-exposes-spear-phishing-campaign-targeting-hospitalit.html\">Redline stealer<\/a> once they have downloaded and executed the fake Midjourney installer.<\/p>\n<p>The MSIX file (<i>Midjourney-x64.msix<\/i>) will attempt to execute an obfuscated PowerShell script named <i>frank_obfus.ps1<\/i>. The decoded version of this script will download and execute the Redline payload from the server <i>openaijobs[.]ru<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b31bfc\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline7.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline7.png\" alt=\"Figure 7. The decoded version of the PowerShell script\"> <\/a><figcaption>Figure 7. The decoded version of the PowerShell script<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>Once the script downloads and executes the Redline stealer, it will proceed with the exfiltration of sensitive information such as browser cookies, passwords, cryptocurrency wallet data, and file information.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"f81698\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline8.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline8.png\" alt=\"Figure 8. Generated traffic from the Redline stealer showing sensitive information being stolen\"> <\/a><figcaption>Figure 8. Generated traffic from the Redline stealer showing sensitive information being stolen<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"3cec31\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline9.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline9.png\" alt=\"Figure 9. Fake ChatGPT (top) and Dall-e (bottom) webpages used by threat actors for their malicious advertisements\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"71a661\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline9b.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/ai-redline9b.png\" alt=\"Figure 9. Fake ChatGPT (top) and Dall-e (bottom) webpages used by threat actors for their malicious advertisements\"> <\/a><figcaption>Figure 9. Fake ChatGPT (top) and Dall-e (bottom) webpages used by threat actors for their malicious advertisements<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.117486338798\">\n<div readability=\"21.209992193599\">\n<p>Threat actors have begun capitalizing on the explosive popularity of AI tools as more people use them to optimize their work processes. As such, it is important for both organizations and individuals to continue being vigilant when it comes to the apps and tools they download and use. Users should avoid clicking on suspicious ads and downloading unverified or unofficial apps since they can lead to malware infections and other malicious behavior. Many AI tools, such as ChatGPT and Midjourney, do not have desktop or app versions, so if one is being offered for download, then there is a high chance that this is malicious.<\/p>\n<p>A multilayered approach can help organizations guard possible entry points into their system. The following security solutions can detect malicious components and suspicious behavior, which can help protect enterprises:&nbsp;<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Vision One\u2122<\/a>\u202fprovides multilayered protection and behavior detection, which helps block questionable behavior and tools before they can do any damage.&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\">Trend Micro Apex One\u2122<\/a>\u202foffers next-level automated threat detection and response against advanced threats, ensuring endpoint protection.<b>&nbsp;<br \/>&nbsp;<\/b><\/span><\/li>\n<\/ul>\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/iocs-malicious-ai-tool-ads-used-to-deliver-redline-stealer.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019ve been observing malicious advertisement campaigns in Google\u2019s search engine with themes that are related to AI tools such as Midjourney and ChatGPT. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":51874,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-51873","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Malicious AI Tool Ads Used to Deliver Redline Stealer 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malicious AI Tool Ads Used to Deliver Redline Stealer 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-12T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/ai-redlin-cover.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Malicious AI Tool Ads Used to Deliver Redline Stealer\",\"datePublished\":\"2023-05-12T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/\"},\"wordCount\":780,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/\",\"name\":\"Malicious AI Tool Ads Used to Deliver Redline Stealer 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.png\",\"datePublished\":\"2023-05-12T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.png\",\"width\":936,\"height\":420},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malicious AI Tool Ads Used to Deliver Redline Stealer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malicious AI Tool Ads Used to Deliver Redline Stealer 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/","og_locale":"en_US","og_type":"article","og_title":"Malicious AI Tool Ads Used to Deliver Redline Stealer 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-05-12T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/ai-redlin-cover.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Malicious AI Tool Ads Used to Deliver Redline Stealer","datePublished":"2023-05-12T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/"},"wordCount":780,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/","url":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/","name":"Malicious AI Tool Ads Used to Deliver Redline Stealer 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.png","datePublished":"2023-05-12T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/malicious-ai-tool-ads-used-to-deliver-redline-stealer.png","width":936,"height":420},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/malicious-ai-tool-ads-used-to-deliver-redline-stealer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Malicious AI Tool Ads Used to Deliver Redline Stealer"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=51873"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51873\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/51874"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=51873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=51873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=51873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}