Go Back Up

How Adversaries Weaponize AI-Assisted Search to Breach Your Network

Jun 12, 2026 3:49:54 PM Alec Mikolas 19 min read

A real-world case study from Apex Security

Most IT leaders picture a breach starting the same way: a suspicious email, a sketchy link, maybe a fake invoice. Someone clicks, the attacker gets in, and the team scrambles to clean up the damage.

That model keeps evolving.

Our Apex Security team recently responded to an incident that began with something far more ordinary than a phishing email. An employee ran a normal Google search for a popular note-taking app. The search surfaced a convenient AI-generated answer. That answer pointed them to a download page that looked exactly like the real product. No weird sender. No attachment. Just everyday research, a helpful-looking AI response, and an installer that appeared completely legitimate.

The file ran. The client's endpoint detection and response (EDR) agent did not stop it.

Below is what happened, why it worked, and what it means for the way you defend your business. This is the second installment in our series on how attackers exploit the tools your team already trusts. The first looked at malvertising through advertisement networks. This one moves a step further, into the search results and AI answers themselves.


In This Article:


The Problem: When the Search Bar Becomes the Attack Vector

Email phishing is still the most common way attackers get in, and training your team to recognize it remains non-negotiable. This case study, though, is about something no amount of inbox vigilance would have caught. Attackers have moved upstream, into the search results your team relies on every day, and now into the AI-generated answers that sit on top of those results.

The underlying technique is called SEO poisoning (search engine optimization poisoning). Attackers study the terms people search for, then manipulate rankings and infrastructure so that their malicious page appears where a trusted result should be. The newer twist is artificial intelligence. When a search returns a generated summary, or when an assistant recommends a download, attackers want that answer to point at infrastructure they control.

This is not theoretical. In May 2026, Microsoft Threat Intelligence documented a campaign it described as AI search result poisoning, an extension of traditional SEO poisoning in which LLM-generated responses surfaced links to attacker-controlled domains and ultimately delivered malware through pages that impersonated legitimate utilities (Microsoft Security Blog). Federal authorities have flagged the same pattern from the other direction. CISA and the FBI have published joint advisories tying fake software downloads and drive-by installs to initial access for ransomware operators (CISA).

What makes this dangerous for businesses is not only the delivery method. It is what happens after the download runs.

97% of organizations reporting an AI-related security incident lacked proper AI access controls

The Payload Lives Where Your Tools Don't Look

Endpoint detection and response (EDR) may generate a detection in the event of an incident, but EDR often does not capture the full extent of what was executed on a target host.

A commodity loader may execute and connect to adversary infrastructure for additional instructions. Certain follow-on actions or payloads may be detected by EDR, but the original foothold can remain active and undetected

That is exactly the pattern our team reconstructed in the incident below.

What We Caught: A Real-World Case Study

Our Apex Security team began investigating after suspicious network traffic surfaced in a client environment. Forensic analysis traced it back to a single Google search. What follows is the full reconstruction, in our analysts' own words.

Executive Summary

CastleLoader is modular loader and a commodity Malware-as-a-Service (Maas). CastleLoader typically enables the adversary with initial host access and subsequent payload delivery.

SEO (search engine optimization) poisoning continues to be a choice technique for many threat actors and groups.

Essentially, adversaries leverage popular search terms, and in some cases paid advertisements, to drive their website to the top of a common search result.

Adversaries now appear to be leveraging the output from edge LLM models, such as Gemini, to better target victims.

In this incident, Apex Security Operations responded to suspicious traffic that stemmed from a user that executed a Google search which provided a convenient Gemini response and subsequently sent them to an adversary-hosted landing page that deploys a Python variant of CastleLoader.

The Search

Apex Forensic Analysis "Cool apps to install on windows" google search

Figure 1 - Apex Forensic Analysis - Delivery Reconstruction

“cool apps to install on Windows”

Yes, this was the initial Google search the user executed that pointed them to Gemini output. The user pasted “note-taking tool Obsidian” into a subsequent Google search which directed them to the adversary-hosted landing page that masqueraded as the Obsidian note taking application.

The landing page was not live at the time of our analysis. It appears the adversary promptly pulled it following some success.

Apex Forensic Analysis - Delivery Reconstruction

Figure 2 - Apex Forensic Analysis - Delivery Reconstruction

CastleLoader Payload Analysis

Shortly after the user visits the adversary-hosted landing page, the file ObsidianSetup-2026-5.75.02664-win-x64.exe is seen downloaded to disk and is subsequently executed. Unfortunately, this file, along with several others, were deleted from disk and not recoverable for our analysis.

Apex Forensic Analysis - Payload Execution

Figure 3 - Apex Forensic Analysis - Payload Execution

As you can see, the executable spawned pythonw.exe (headless Python). Also, a directory traffic1kris was created in c:\programdata\ which hosted Python application data and contained the adversary’s Python bytecode.

Apex Forensic Analysis - Decompiled Python Bytecode Sample (System Profiling)

Figure 4 - Apex Forensic Analysis - Decompiled Python Bytecode Sample (System Profiling)

image (27)

Figure 5 - Apex Forensic Analysis - Decompiled Python Bytecode Sample (GetIpGeo)

image (29)

Figure 6 - Apex Forensic Analysis - Decompiled Python Bytecode Sample (C2 Domain)

image (30)

Figure 7 - Apex Forensic Analysis - Decompiled Python Bytecode Sample (Self Delete)

image (31)

Figure 8 - Apex Forensic Analysis - Python Implant C2 Connectivity

 

The Python implant established persistence through the creation of a Windows Shortcut file (.lnk) in the startup directory.

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pythonw.exe.lnk

NetSupport RAT Deployment

Shortly after the execution of the Python implant, NetSupport Manager, which is a widely abused Remote Access Tool (RAT) was deployed and executed.

image (33)

image (34)

Figure 9 - Apex Forensic Analysis - NetSupport RAT Execution Indicators

Unfortunately, the NetSupport Manager files were also deleted and were not recoverable. This is unfortunate as the configuration files often contain fallback or secondary C2 server destinations.

A scheduled task was created for NetSupport RAT persistence.

image (35)

image (36)

Figure 10 - Apex Forensic Analysis - NetSupport RAT Persistence

Kill Chain

The full execution chain our analysts reconstructed from the artifacts above:

  1. The user searches Google for “cool apps to install on windows” and receives a convenient Gemini-generated response.
  2. The user runs a follow-up search for the note-taking tool Obsidian and lands on an adversary-hosted page that masquerades as Obsidian.
  3. ObsidianSetup-2026-5.75.02664-win-x64.exe is downloaded to disk and executed.
  4. The installer spawns headless Python (pythonw.exe) and stages bytecode under c:\programdata\traffic1kris\.
  5. The Python CastleLoader implant profiles the host, resolves geolocation, and reaches out to its command-and-control domain.
  6. Persistence is established through a .lnk file placed in the user's Startup folder.
  7. NetSupport Manager (RAT) is deployed for hands-on remote access, with a scheduled task created for persistence.

Attribution

The group behind the development of CastleLoader commodity malware has been labeled as TAG-150 and called GrayBravo.

Our thoughts are that TAG-150 is likely selling CastleLoader to Initial Access Brokers (IABs) that are then selling secondary access through NetSupport RAT to ransomware affiliates. This is quite common and nothing new.

We assess, with low confidence, that the name, traffic1kris, seen in multiple locations throughout our analysis of files and code, may be the alias of the initial access broker.

Conclusion

Adversaries are pairing traditional SEO poisoning tactics with AI output to deliver malicious payloads at scale.

A major takeaway we observed in this instance is that the client-deployed EDR product did not mitigate or prevent the execution of the initial payload, Python bytecode, or the secondary NetSupport deployment.

Forensic analysis is always required to understand the extent of an incident.

Why This Works Against Most Businesses

The uncomfortable truth is that standard antivirus, basic endpoint detection, and spam filters, the tools most small and mid-sized businesses rely on, were never designed to catch this class of attack. No email reached an inbox. No user ignored a warning. A diligent employee did normal research and trusted the answer their search engine handed back.

Consider the environment your team operates in:

  • The global average cost of a data breach reached $4.44 million in 2025, according to the IBM Cost of a Data Breach Report.
  • AI is now part of the breach equation. IBM found that incidents involving "shadow AI," the unsanctioned use of AI tools, added roughly $670,000 to the average breach cost, and that 97% of organizations reporting an AI-related security incident lacked proper AI access controls (IBM).
  • The longer a threat goes undetected, the more it costs. Organizations with slow detection consistently face materially higher breach costs than those that detect and contain quickly (IBM).

Related: estimate the cost of a data breach for your organization with our cybersecurity calculator.

The broader point holds. Many of these incidents do not begin with a bad click. They begin with normal business activity in an environment where attackers have quietly poisoned the infrastructure your team trusts, which now includes the AI layer sitting on top of search.

The Solution: Forensic-Led Resilience

Detection of this class of attack requires a fundamentally different approach to endpoint security. File scanning is not enough. Alert monitoring is not enough. What it requires is continuous behavioral monitoring: a real-time view of what processes actually do, not just what files sit on disk.

Why Managed EDR Is No Longer Optional

Two facts from this case sit uncomfortably together. The client had EDR deployed. The EDR did not stop the attack. It did not block the malicious installer, the in-memory Python loader, or the NetSupport RAT that followed. Our forensic analysis is what reconstructed the full chain and confirmed the true extent of the compromise.

Cyber criminals are growing more sophisticated, and they deliberately engineer payloads to slip past traditional EDR technology. That is the gap a managed forensic program is built to close. We don't just look for bad files; we monitor the behavior of your computer's memory. When an application starts trying to inject code into other processes or quietly spawn a hidden interpreter, our system is built to flag and kill it, then preserve the evidence.

When a memory anomaly appears, our analysts do not dismiss it as noise. They pull the thread until the full attack chain is understood, because that is the only way to know what an attacker actually touched.

Apex Security's approach includes:

  • Continuous forensic visibility that ingests and correlates endpoint, identity, cloud, and network telemetry in real time
  • Volatile memory analysis that examines what is running in memory, not just what is written to disk
  • Human-led investigation in which senior analysts reconstruct full attack timelines and classify behavior against the MITRE ATT&CK framework
  • Multi-vector containment that isolates compromised endpoints, suspends affected accounts, and blocks malicious network traffic at the same time
  • Audit-ready reporting with complete forensic timelines, root cause analysis, and documentation aligned with HIPAA, CMMC, and cyber insurance requirements

Dedicated Analysts Who Know Your Industry

This is not a threat aimed at careless people. The lures in these campaigns, note-taking apps, PDF tools, productivity utilities, and AI assistants, mirror the exact software your team searches for to get work done. The attack works precisely because the download looks like something an employee genuinely needs.

Our analysts are trained to recognize these "fake software" lure patterns and to understand how they map to real workflows in regulated industries. A manufacturing engineer looking for a file converter and a healthcare administrator searching for a scheduling tool are exactly the users these campaigns are built to reach. That industry context is not incidental. It is core to spotting threats that generic security operations centers miss.

What "Zero Help Desk" Friction Really Means

One of the most dangerous gaps in incident response is not technical. It is operational. When a breach escalates, most providers require you to negotiate a new contract, track hourly billing, and wait for emergency availability while an active threat spreads through your network.

Apex Security removes that friction. Full-scale Incident Response is included as a standard feature, with no retainer fees and no hourly emergency billing. Your dedicated technicians already know your environment, and they are trained to spot the specific "fake software" lures that target manufacturing, healthcare, and financial workflows. When your environment needs forensic investigation, the team is already in place.

What You Should Do Right Now

If your business relies on standard antivirus or an unmonitored EDR agent, the case above is a direct preview of your exposure. A single employee searching for a common tool on a work device, on your network, is all it takes.

The indicators of compromise from this campaign are listed below. If you are a current Apex client, these have already been pushed to your environment. If you are not, treat this as a look at what continuous forensic monitoring catches that most tools miss.

Domain IOCs (do not visit, block at your firewall and DNS):

  • obsidian-md[.]org
  • bmwservicebestik[.]com
  • evealexnunu[.]com
  • obelkfdskfkkf[.]com
  • bestporcheservice[.]com
  • 253[.]89[.]86[.]172[.]static[.]cloudzy[.]com

IP Address IOCs (block at your firewall):

  • 45.137.213[.]207
  • 162.159.36[.]2
  • 144.124.225[.]168
  • 144.172.116[.]14
  • 89.110.113[.]56
  • 149.33.8[.]84
  • 172.86.89[.]253

File Hash IOCs:

  • bfa1726c1331066202148a4b1ea0cbaa83a189d3552a4e06f8395576ee16d27c (client32.exe, NetSupport RAT)
  • 8be7fb2fa19db554d6c1b666553488edbb6c498a81db1260f89f111968c3d637 (client32.ini / client32.exe, NetSupport RAT)
  • edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 (HTCTL32.DLL / client32.exe, NetSupport RAT)
  • 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 (msvcr100.dll / client32.exe, NetSupport RAT)
  • 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 (pcicapi.dll / client32.exe, NetSupport RAT)
  • 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a (PCICHEK.DLL / client32.exe, NetSupport RAT)
  • 80cc439a0633add1dd964bb6bb40ccdcfec3ae28da39fd9416642ab0605d40ab (PCICL32.DLL / client32.exe, NetSupport RAT)
  • 82a5b0a5f16eb2045e74726cea1af7eda7ce93125f1d2480afeb168587928f55 (remcmdstub.exe / client32.exe, NetSupport RAT)
  • 8fd7f3eb1882755a8c5ba998409b20b240aed8ec025629b1679ea288ec2ae8aa (TCCTL32.DLL / client32.exe, NetSupport RAT)
  • 66634327c00f9d6f56ca3320c12f05cb84d6743ae3e08110d32944d31ea4ae02 (main.pyc, CastleLoader)
  • b88f65c41374691a0c100fbc04943be73181e821e66e85634d4ef708ee83747d (python.cat, CastleLoader)

This research was produced by the Compass Apex Security team. Apex Security delivers forensic-grade cyber defense, continuous human-led investigation, and audit-ready reporting for regulated and high-risk organizations. Learn more about Apex Security or book an assessment.

YOU MAY NEED TO KNOW

Frequently Asked Questions

What is SEO poisoning?

SEO poisoning, or search engine poisoning, is a technique where attackers manipulate search rankings and supporting infrastructure so that a malicious website appears near the top of results for terms people commonly search. Because the result looks like a normal, highly ranked link rather than spam, most users have no reason to suspect it. The goal is to get someone to click a poisoned result and download what they believe is legitimate software.

How are attackers using AI tools like Gemini in these attacks?

Search engines increasingly return AI-generated answers and summaries alongside traditional links, and assistants will often recommend a specific tool or download. Attackers have started optimizing their malicious pages to be surfaced inside that generated output. In the incident documented above, a user ran a Google search, received a convenient AI-generated response, and was steered toward an adversary-hosted page. The AI layer becomes one more trusted surface that attackers work to influence.

What is CastleLoader?

CastleLoader is a modular loader sold as a commodity Malware-as-a-Service. Its job is to get initial access to a host and then pull down additional payloads. In this case, a Python variant of CastleLoader ran in memory after the fake installer executed, profiled the machine, and reached out to a command-and-control server before staging the next stage of the attack.

What is NetSupport RAT and why is it dangerous?

NetSupport Manager is a legitimate remote administration tool that attackers frequently abuse as a remote access trojan (RAT). Once deployed, it gives an operator hands-on control of the machine, which can be used for reconnaissance, credential theft, and staging further attacks. Because it is built on real software, it can blend in with normal activity, and its configuration files often point to fallback command-and-control servers.

My EDR is installed and running. Why didn't it stop this?

This is the most important lesson from the case. The client had a working EDR agent, and it still did not prevent the initial payload, the in-memory Python loader, or the NetSupport deployment. Many tools focus on files written to disk and known signatures. Payloads that run in memory and lean on legitimate components such as Python and NetSupport are engineered to slip past that model. Detection requires behavioral monitoring at the memory level plus human-led investigation, not just an installed agent.

Does employee security training prevent this kind of attack?

Not on its own. Employee training is still essential, and email phishing remains the most common vector your team will face, so a well-trained employee is still one of your strongest defenses. This attack, though, did not depend on anyone making a mistake. A careful employee searching for a real productivity tool triggered the whole chain through entirely normal behavior. Prevention requires security tools that operate at a layer below human judgment.

Learn more about the role of employee training in cybersecurity in this article.

How is this different from the malvertising attack you wrote about previously?

The malvertising case involved paid advertisements placed on legitimate websites that redirected users to fake software pages. This case is about organic search results and the AI-generated answers built on top of them. The delivery channel is different, but the strategy is the same: abuse a trusted surface so that a malicious download looks like the real thing. Both bypass the inbox entirely.

What does "in memory" or fileless execution mean, and why does it matter?

It means the malicious code runs inside the memory of a running process rather than as a file saved to the hard drive. Traditional antivirus works by scanning files, so when little or nothing is written to disk, there is far less for a file scanner to catch. In this incident, several attacker files were also deleted afterward, which is why forensic analysis of process behavior and system artifacts was required to reconstruct what happened.

What should I do if I think my business has been affected?

Do not try to remediate it internally by deleting files or wiping the device. Memory-based attacks can leave little obvious trace, and deleting artifacts can destroy the evidence needed to understand the breach. The priority is forensic investigation: understanding exactly what executed, what it touched, and whether data left your environment. Contact your security provider immediately and preserve the affected device in its current state until a forensic analyst can review it.

How does Apex Security catch what standard tools miss?

Apex Security combines continuous forensic visibility across endpoint, identity, cloud, and network telemetry with volatile memory analysis and human-led investigation. When an anomaly appears, senior analysts reconstruct the full timeline and classify behavior against the MITRE ATT&CK framework rather than closing a single alert. Full Incident Response is included as a standard feature, so when something does get through, the investigation begins immediately without new contracts or hourly emergency billing.

Alec Mikolas

Alec Mikolas is a cybersecurity expert focused on security operations, threat detection, and incident response. With deep technical experience across systems, infrastructure, and Linux environments, he designs resilient security programs built to perform under real-world pressure. He brings a practical, systems-level approach to cybersecurity, combining technical depth with real-world operational insight across infrastructure, support, and Linux-based environments.

Navigate What’s Next

Get new insights, practical guides, and timely resources delivered to your inbox.