Attackers are delivering malware to different regions using AI-enhanced tools. Among the most impacted industries are manufacturing, government, healthcare, technology, and retail. Trend Micro has given the campaign the code name EvilAI.

It basically uses a number of propagation techniques, such as malicious advertisements, newly registered websites that imitate vendor portals, and promoted download links on social media and forums.According to security researcher Banu Ramakrishnan, "they have been peddling malware disguised as games, print recipe, recipe finder, manual finder." Security researchers stated in a blog post on Monday that "EvilAI is not an isolated incident but rather an active and evolving campaign currently circulating in the wild," citing Trend Micro's tracking of the malware under the name Bao loader. According to Trend Micro, "these trojans mimic the appearance of real software to go unnoticed, rather than relying on obviously malicious files." According to Expel, the malware known as TamperedChef is actually a Bao loader. Malware is essentially a backdoor that gives an operator the ability to do anything they want on a system.

It claims that since then, threat actors have switched to another decoy program called S3-Forge. According to the cybersecurity firm, the attackers created applications that appeared authentic, acquired code-signing certificates, and launched a targeted advertising campaign to increase installations. "The impact is significant: anyone who installed AppSuite PDF Editor should assume their browser-stored credentials were compromised," WithSecure stated in an October 3, 2025, follow-up report.

"These tactics allow malware to masquerade as legitimate software, bypass endpoint defenses, and exploit user trust," the company added in a separate report that was published on October 4, 2025, to commemorate the first AppSuites PDF Editor version's tenth anniversary.