Adversaries are using AI-powered website builders to expedite the development of harmful infrastructure in a quickly changing threat landscape, hence reducing the entry barriers for malware distribution and credential phishing.
Platforms like Lovable, which enable users to generate fully functional websites via natural language prompts, have been observed in numerous campaigns since early 2025.
These tools, designed for ease of use with free hosting under the lovable[.]app domain, allow even novice actors to deploy sophisticated phishing kits, malware loaders, and fraud sites without advanced web development skills.
Emerging Threats in AI-Assisted Cybercrime
Proofpoint researchers have documented tens of thousands of malicious Lovable URLs in email traffic monthly, targeting organizations with lures impersonating trusted brands such as Microsoft, UPS, and cryptocurrency platforms.
This abuse highlights a shift where AI not only automates site creation but also embeds deceptive elements like CAPTCHAs and backend logic for data exfiltration, often routing stolen credentials to Telegram channels or enabling adversary-in-the-middle (AiTM) attacks.
Lovable’s model, which offers up to five free prompts daily and unrestricted remixing of public projects, has inadvertently facilitated rapid campaign scaling.
For instance, in February 2025, a large-scale Tycoon Phishing-as-a-Service (PhaaS) operation distributed hundreds of thousands of emails with file-sharing themes, leading recipients through CAPTCHA challenges to counterfeit Microsoft authentication pages that harvested credentials, MFA tokens, and session cookies.
Subsequent campaigns in June masqueraded as HR departments, exploiting employee benefits narratives to deploy similar AiTM techniques.
Beyond phishing, actors have created sites for payment card and personal data theft, such as UPS-impersonating pages that collect details via SMS code harvesting and post them to Telegram.
Cryptocurrency-focused threats include wallet drainers disguised as DeFi platforms like Aave, where SendGrid-redirected URLs lead to interfaces that connect and siphon user assets.
Malware delivery has also surged, with July campaigns using German-language lures impersonating software firms, redirecting via services like Cookie Reloaded to Dropbox-hosted RAR files containing trojanized executables that sideload DOILoader and deploy zgRAT remote access trojans.
Mitigation Efforts
In response to these findings, Lovable has implemented AI-driven protections, including real-time detection during prompt processing and automated scanning of published projects, resulting in the takedown of hundreds of malicious domains.
The company plans further enhancements, such as proactive user account monitoring, to curb abuse.
However, Proofpoint’s experiments revealed minimal initial guardrails, allowing easy creation of phishing sites with manipulative language contrasting with stricter policies in tools like ChatGPT.
This underscores the need for robust safeguards in AI platforms to prevent exploitation, as adversaries shift focus from manual development to optimizing attack chains.
Organizations are advised to adopt allow-listing for commonly abused tools and monitor for emerging AI-generated threats in email and SMS vectors.
Indicators of Compromise (IOCs)
| Indicator | Description | First Seen |
|---|---|---|
| hxxps://ups-flow-harvester[.]lovable[.]app/ | UPS Impersonation Landing Page | 15 June 2025 |
| hxxps://app-54124296d32502[.]lovable[.]app/ | UPS Impersonation Redirector | 15 June 2025 |
| hxxps://captcha-office-redirect[.]lovable[.]app/ | Microsoft Impersonation Phishing URL | 17 June 2025 |
| hxxps://33eq8[.]oquvzop[.]es/CFTvqhHpUgs@x/ | Tycoon Redirect | 17 June 2025 |
| hxxps://aave-reward-notification[.]lovable[.]app/ | Aave Impersonation SendGrid Redirect | 17 June 2025 |
| hxxps://reward-aave[.]us/web3/ | Aave Impersonation Landing Page | 17 June 2025 |
| hxxp://lexware-invoice-deutsch-popup[.]lovable[.]app/ | Cookie Reloaded Redirect target | 22 July 2025 |
| hxxp://www[.]dropbox[.]com/scl/fi/i6n7wcxpfi366wn46qngu/DE0019902001000RE.rar?rlkey=ec07od5o0p41q02cq7e3kp5iq&st=7k1wp1ao&dl=1 | Download URL from Lovable | 22 July 2025 |
| 84[.]32[.]41[.]163:7705 | zgRAT C2 | 22 July 2025 |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
