eastbaycyber

Fake AI Malware Lures, Low-Cost Password Cracking, and Critical CVEs

Threat digests 8 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-17
Week of 17 MAY 2026

TL;DR - Fake AI video tools are being used to deliver infostealer malware. - Low-cost password-cracking capacity raises risk after credential theft. - Review critical CVEs now, especially internet-exposed apps and edge devices.

Top Stories

Fake AI video generators are being used to distribute infostealers

BleepingComputer reports that attackers are promoting fake AI-powered video generation tools via social media and Facebook groups to deliver the Noodlophile stealer malware (source).

Why this matters

This campaign combines two high-performing lures:

  • strong user interest in AI tools
  • trust transferred from social platforms and “viral” posts

For defenders, this is less about one malware family and more about a durable delivery pattern: users searching for niche productivity or AI software are redirected into malware installation flows that look plausible enough to bypass skepticism.

What to do next

  • Block unapproved software downloads from social media and ad-hoc file-sharing sites.
  • Review endpoint detections for recently downloaded archives, installers, and script launchers tied to “AI video,” “image to video,” or “generator” themes.
  • Reinforce allowlisting where feasible for user workstations.
  • Hunt for credential theft follow-on activity, including browser credential access and session cookie theft.

Technical Notes

Example Windows process hunting ideas for suspicious script and archive execution:

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" |
  Where-Object {
    $_.Message -match "powershell.exe|wscript.exe|mshta.exe|cmd.exe" -and
    $_.Message -match "zip|rar|7z|ai|video|generator"
  } | Select-Object TimeCreated, Id, Message

Example Sigma-style logic defenders may want to adapt:

title: "Fake AI Malware Lures, Low-Cost Password Cracking, and Critical CVEs"
logsource:
  product: windows
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\chrome.exe'
      - '\msedge.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\wscript.exe'
      - '\mshta.exe'
      - '\cmd.exe'
  keywords:
    CommandLine|contains:
      - 'ai'
      - 'video'
      - 'generator'
      - '.zip'
      - '.js'
      - '.vbs'
  condition: selection_parent and selection_child and keywords
level: medium

Useful review points after a suspected infostealer event:

- Browser credential stores accessed unexpectedly
- New persistence in Run keys / Startup folders
- Outbound connections to newly observed domains after user download activity
- Session hijacking indicators such as suspicious MFA fatigue or unfamiliar sign-ins

Password cracking is becoming cheaper and more accessible

KrebsOnSecurity highlights how rentable password-cracking rigs can reduce the cost barrier for password recovery and, by extension, improve attacker economics once password material is stolen (source).

Why this matters

The operational takeaway is straightforward:

  • stolen hashes remain highly monetizable
  • weak passwords fail faster than many teams assume
  • “we use encryption” is not enough if passphrases are weak or predictable

For SMBs and IT teams, this should increase urgency around password length, uniqueness, MFA, and secrets storage. For incident responders, it reinforces the need to estimate time-to-crack as part of breach impact analysis.

What to do next

  • Enforce long passphrases, not just complexity rules.
  • Remove legacy password storage and weak hashing where present.
  • Prioritize MFA for email, VPN, admin portals, and remote access.
  • Audit service accounts and local admin accounts for password reuse.
  • Rotate credentials quickly after any breach involving password databases, browser stores, or NTLM/Kerberos artifacts.

Technical Notes

Example Linux auditing for weak password policy posture:

grep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs
grep -E 'pam_pwquality|pam_cracklib' /etc/pam.d/common-password /etc/pam.d/system-auth 2>/dev/null

Example Active Directory checks defenders should consider:

Get-ADDefaultDomainPasswordPolicy | Format-List *
Get-ADUser -Filter * -Properties PasswordNeverExpires,LastLogonDate |
  Select-Object Name,SamAccountName,PasswordNeverExpires,LastLogonDate

Look for these risk signals:

- PasswordNeverExpires enabled broadly
- Shared local admin passwords across endpoints
- Service accounts without rotation
- MFA gaps on externally accessible services
- Legacy protocols that expose credential material

T-Mobile satellite SMS launch: resilience upside, security review still required

Coverage via Google News/Yahoo Finance notes that T-Mobile launched a satellite SMS service with Starlink across plans (source).

Why this matters

This is primarily a business and resilience story, but security teams should care when messaging paths, fallback communications, and mobile workflows change. New transport assumptions can affect:

  • incident communications planning
  • mobile device usage policies
  • user expectations about availability during outages or disasters

What to do next

  • Update crisis communication playbooks that rely on SMS.
  • Verify which messages, alerts, or workflows should be allowed over fallback channels.
  • Reassess mobile threat models for executives, field teams, and remote operations staff.

Retail resilience remains a board-level security issue

The Economist’s coverage of the cyberattack on Marks & Spencer underscores a point defenders already know: cyber incidents in retail are not just “IT events” but operational disruptions with direct customer impact (source).

Why this matters

Retail and other customer-facing sectors should treat cyber resilience as a continuity discipline. The security question is no longer only “can we prevent compromise?” but also:

  • can stores and e-commerce continue degraded operations?
  • can identity, payments, and fulfillment be segmented?
  • can the business communicate clearly while restoring systems?

What to do next

  • Test offline and degraded-mode procedures.
  • Review segmentation between corporate IT, point-of-sale, e-commerce, and warehouse systems.
  • Ensure IR plans include customer communications, legal review, and third-party coordination.

Other industry reads

  • Hackaday’s weekly security roundup offers broader security community context and trend spotting (source).
  • SecurityInfoWatch discusses the role of human factors alongside AI in cybersecurity’s future (source).

Critical Vulnerabilities

CVE-2025-4743 : Liquid Commerce 4.5.0 remote code execution

  • Severity: Critical
  • CVSS v3: 9.9
  • CWE: CWE-94
  • Published: 2025-05-17
  • Reference: Advisory PDF

The published advisory describes arbitrary code execution via crafted JavaScript in a custom page object, with remote command execution when server-side rendering is triggered.

So what?

If your organization runs the affected version and allows custom page object access, this could become an application-level route to server compromise. The key issue is not just XSS-style content handling, but execution in a rendering path that can cross into server-side impact.

What defenders should do

  • Identify whether Liquid Commerce 4.5.0 is deployed anywhere.
  • Restrict access to custom page functionality immediately.
  • Review application logs for recent edits to custom pages and unusual render activity.
  • If exposed externally, treat this as urgent triage.

This issue affects D-Link DIR-513 1.0 and reportedly allows authentication bypass and command execution through /goform/formSetWanPPPoE when a specific flag is used with hardcoded credentials.

So what?

Even older or branch-office networking devices can remain deployed well past normal lifecycle. If this model exists in small offices, temporary sites, labs, or unmanaged environments, it should be treated as high-risk due to the combination of hidden functionality and command execution.

What defenders should do

  • Inventory for DIR-513 devices immediately.
  • Remove affected devices from internet exposure.
  • Replace or isolate end-of-life network gear where possible.
  • Review firewall, NAT, and admin interface exposure at branch locations.

CVE-2025-4666 : GNU elfutils 0.192 heap-based buffer overflow

The issue affects the dump_data_section function in /libelf/elf_compress.c in GNU elfutils 0.192 and can lead to a heap-based buffer overflow. A public disclosure and an upstream commit reference are available.

So what?

This is more relevant to systems and workflows that parse or process untrusted ELF files, including developer tooling, analysis pipelines, package handling, and automated build or scanning systems. Exposure depends heavily on whether vulnerable components can be reached with attacker-controlled input.

What defenders should do

  • Identify systems running elfutils 0.192.
  • Prioritize patching in CI/CD, analysis, or package-processing environments.
  • Reduce ingestion of untrusted binaries where possible until patched.
  • Add crash monitoring for tooling that touches ELF content.

CVE-2025-4747 : SourceCodester pharmacy product management system SQL injection

  • Severity: High
  • CVSS v3: 8.8
  • CWE: CWE-89
  • Published: 2025-05-17
  • Reference: GitHub reference

This vulnerability affects SourceCodester Web-based Pharmacy Product Management System 1.0 via /edit-category.php and /category.php due to unsanitized category_id input.

So what?

This appears most relevant to organizations, labs, or developers using this specific web application. Because exploitation is remote and SQL injection often leads to data exposure or administrative compromise, any internet-exposed deployment should be treated as risky.

What defenders should do

  • Verify whether this application exists in production, testing, or forgotten lab environments.
  • Block public access if not strictly required.
  • Add WAF coverage for common SQLi patterns where possible.
  • Review database and web logs for suspicious requests containing crafted category_id parameters.

What Defenders Should Do Today

1) Tighten controls on unapproved software downloads

The fake AI tool lure is a reminder that users increasingly encounter malware through themed productivity and AI content, not just email. Review:

  • browser download controls
  • application allowlisting
  • DNS and web filtering for newly registered or low-reputation domains
  • endpoint telemetry for script-based installers

2) Reassess password strength assumptions

Low-cost cracking capability changes breach economics. Act on:

  • passphrase policy
  • password manager deployment
  • MFA coverage
  • rapid credential rotation after incidents

3) Triage internet-facing assets for today’s CVEs

Focus first on:

  • public web applications with content rendering features
  • exposed or legacy branch networking devices
  • build, analysis, and package-processing systems
  • neglected lab or demo applications

4) Improve resilience, not just prevention

The retail disruption angle is a strong reminder to test:

  • degraded-mode operations
  • executive communications
  • third-party coordination
  • backup and restore readiness

Analyst Takeaway

The common thread across today’s digest is attacker leverage. Social media lures improve initial access. Affordable cracking infrastructure improves post-theft value. High-severity flaws in niche apps and edge devices create opportunities where asset management is weak. Defenders should respond with practical hygiene: better inventory, faster patch triage, stricter download controls, and stronger credential policy.

Sources

Last verified: 2026-05-17

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.