Threat Actors Abuse AI Website Creation App to Deliver Malware

Cybercriminals have discovered a new avenue for malicious activities by exploiting Lovable, an AI-powered website creation platform, to develop sophisticated phishing campaigns and malware delivery systems.

The platform, designed to democratize web development through natural language prompts, has inadvertently become a tool for threat actors seeking to create convincing fraudulent websites with minimal technical expertise.

The abuse of Lovable represents a significant shift in the cybercrime landscape, where artificial intelligence tools are lowering traditional barriers to entry for malicious actors.

Unlike conventional web development that requires coding knowledge, Lovable allows users to create fully functional websites simply by describing their requirements in plain text.

This capability has proven particularly attractive to cybercriminals who can now generate professional-looking phishing sites, credential harvesting platforms, and malware distribution networks within minutes.

Proofpoint researchers identified tens of thousands of malicious Lovable URLs detected as threats each month since February 2025, spanning various attack vectors, including multifactor authentication phishing kits, cryptocurrency wallet drainers, and sophisticated credential harvesting operations.

The researchers observed campaigns impacting over 5,000 organizations through hundreds of thousands of malicious messages, demonstrating the scale at which threat actors have adopted this platform.

The versatility of AI-generated websites has enabled threat actors to impersonate prominent brands including Microsoft, UPS, and various financial institutions with remarkable authenticity.

These campaigns typically employ sophisticated social engineering techniques, incorporating legitimate branding elements and convincing user interfaces that closely mirror their genuine counterparts.

The platform’s free hosting service on the lovable.app domain has further reduced operational costs for cybercriminals while providing them with legitimate-looking infrastructure.

Advanced Malware Delivery Mechanisms

The most concerning aspect of this threat involves the platform’s capacity to facilitate complex malware delivery chains.

Proofpoint analysts documented a particularly sophisticated German-language campaign that demonstrated the evolution from simple phishing to advanced malware distribution.

The attack chain began with HTML attachments redirecting to Cookie Reloaded URLs, which subsequently directed victims to AI-generated Lovable applications masquerading as secure download portals.

The malware delivery process incorporated multiple layers of deception, including password-protected downloads and legitimate-looking interfaces.

When victims clicked download buttons, they received a popup providing the password “RE2025” and access to a RAR file hosted on Dropbox.

This archive contained “Rechnung DE009100019000.exe,” a trojanized legitimate Ace Stream file that performed DLL sideloading to execute DOILoader, ultimately deploying zgRAT malware with command and control communications to 84.32.41.163:7705.

This sophisticated attack methodology demonstrates how AI website builders can facilitate complex multi-stage malware deployment while maintaining the appearance of legitimate business operations, significantly complicating detection and prevention efforts for cybersecurity teams.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.