Deepnude AI Image Generator: Cyber criminals lure victims with special bait

Cyber security experts from Silent Push have presented a new attack tactic of the threat group “FIN7” in a blog post

[datensicherheit.de, 03/22/2025] Our article on Deepnude AI Image Generator is still very popular, especially in English-speaking countries. We have therefore decided to offer a translated version in English (editor’s note!).

“Cyber security experts from Silent Push recently presented a new attack tactic of the threat group ‚FIN7‘ in a blog post,” reports Dr. Martin J. Krämer, ‘Security Awareness Advocate’ at KnowBe4, in his latest statement. These cyber criminals use fake websites to offer their victims the use of AI-supported nude image generators. “If they fall for the bait, they click on a corresponding link, download ‚Infostealer‘ – and, if they are at their workplace, easily put their entire company at risk!” According to KnowBe4’s Industry Benchmarking Report 2024, an average of almost 33% of those approached fall for these and similar malicious “offers”.

Dr. Martin J. Krämer, Security Awareness Advocate bei KnowBe4, Foto: KnowBe4

Dr. Martin J. Krämer: “Companies should urgently continue to invest in raising the cyber security awareness of their employees!”

Since 2013, “FIN7” has been associated with complex cyber attacks

“FIN7”, also known as ‘Carbon Spider’, ‘ELBRUS’ and ‘Sangria Tempest’, is a ‘cyber threat group with links to Russia’. It has been associated with complex cyber attacks since 2013. However, it has probably been active for longer. The group’s attack focus is on a wide range of different industries – from retail and the technology sector to the financial and media industries and utilities.

“In their recent blog post, Silent Push’s threat analysts presented the group’s latest attack tactics. To trick their victims into downloading ‚infostealers‘, they disguised fake honeypot websites as the online interface of ‚deepnude AI‘ image generator providers.” The group maintained at least seven fake websites for this purpose. These have since been taken offline at the instigation of Silent Push:

• easynude[.]website
• ai-nude[.]cloud
• ai-nude[.]click
• ai-nude[.]pro
• nude-ai[.]pro
• ai-nude[.]adult
• ai-nude[.]site

“On these honeypot websites, visitors were offered to use an AI image generator to create nude images. Some fake websites offered a ‚Free Download‘ others a ‚Free Trial‘.”

Cyber criminals lay out bait to ultimately attack company targets

In the former case, victims were asked to “upload a picture of the person they would like to see naked”. They would then receive a message that the generated image would be available for download. “If they clicked on the ‚Free Download‘ button, they were redirected to a new domain with a link to ‚Dropbox‘ or another source containing a .zip file with a malicious payload.”

Most of these were then “infostealers” – such as “Redline Stealer” or “D3F@ck Loader”, which “FIN7” used to spy out cookies, passwords and other information of its victims – in order to subsequently attack potential business targets.

Victims are asked by cyber criminals to upload photos

In the second case, victims were also asked to “upload a picture of a person they would like to see naked”. To do this, however, they were asked to click on the “Free Trial” link. “Once they had uploaded a picture, they received the message ‚Trial version ready for download‘, with the addition ‚Access to scientific materials for personal use only‘.”

A pop-up appeared with the question “This link is for personal use only, do you agree?”. “If the user agreed and clicked on ‚Download‘, they again received a .zip file, again with a malicious payload,” explains Krämer. This was also another “Infostealer” – but this time it was a “Lumma Stealer”.

All users of the company network should always be kept up to date on cyber security issues!

After discovering these honeypot websites, the threat analysts at Silent Push quickly took them down. “The sites are currently offline.” However, it is likely that – if not already done – new websites following a similar pattern will soon go online.

Companies can therefore only be urgently advised to invest further and further in raising the cyber security awareness of their employees. In conclusion, Krämer recommends: “Regular training and education are essential if you want to ensure that all users of the company network are always kept up to date in terms of cyber security and do not fall for honeypots such as the one presented here.”

Further information on this topic:

WikipediA
FIN7

KnowBe4
2024 Phishing By Industry Benchmarking Report / Find out how you are doing compared to your peers of similar size

malpedia FRAUNHOFER FKIE
Lumma Stealer / aka: LummaC2 Stealer

malpedia FRAUNHOFER FKIE
RedLine Stealer / aka: RECORDSTEALER

SILENT PUSH, 02.10.2024
FIN7 hosting honeypot domains with malicious AI Generators – New Silent Push research