Kaspersky has uncovered a global campaign in which attackers are using AI-generated websites to distribute versions of the legitimate remote access tool Syncro. The activity spans Latin America, Asia Pacific, Europe and Africa. The sites are designed to appear trustworthy and often imitate well-known applications such as crypto wallets, antivirus software and password managers. Users are lured into downloading Syncro, which is then misused to gain control of their devices.
The campaign relies on search engine results and phishing emails to drive traffic to these sites. Many of the pages present themselves as offering security updates, trading apps or token migration tools. Once downloaded, the Syncro software operates as a genuine remote management tool, which makes it harder for standard security solutions to flag the activity as malicious. The tool gives attackers full access to the victim’s device, including the ability to view screens, access files and execute commands.
Kaspersky reports that scareware tactics form a key part of the campaign. Users may encounter false security warnings designed to pressure them into installing the remote access software. Once installed, the attackers aim to steal cryptocurrency by monitoring activity and exploiting the access granted through Syncro.
AI-generated websites create convincing but fraudulent experiences
The attackers use an AI website creation tool called Lovable to build professional-looking sites with domains that closely match common search queries. Rather than directly copying legitimate platforms, the pages create credible alternatives that appear authentic at first glance. One example includes sites referencing Polymarket, a prediction market platform, which are designed to convince users they are dealing with a trusted brand.
These fraudulent sites are promoted through search engines and targeted phishing emails. The emails often contain prompts urging users to install trading applications, update antivirus software or migrate digital tokens. Regardless of the scenario, the end result is the installation of Syncro, already configured to grant attackers remote access without alerting users or security tools.
Because the software is legitimate and typically used by IT teams, its presence does not automatically raise suspicion. This allows attackers to bypass common security measures and operate without immediate detection.
Kaspersky urges users to verify downloads and audit devices
Kaspersky has warned that the campaign reflects a growing trend in which legitimate software is repurposed for malicious activity, aided by AI-driven tools that allow cybercriminals to scale operations quickly. Vladimir Gursky, malware analyst at Kaspersky, said: “This campaign highlights the evolving threat landscape where legitimate tools are being weaponised through AI-driven deception. By automating the creation of high-quality fake sites, cybercriminals can scale attacks efficiently, preying on users’ trust in familiar brands and urgent warnings. It’s a stark reminder that even signed software from seemingly reputable sources demands scrutiny.”
The company recommends downloading software only from verified and official sources, especially when dealing with financial transactions or cryptocurrency management. Users should check URLs carefully, avoid installing remote access tools unless absolutely necessary, and review any such tools already present on their devices. Kaspersky also advises enabling anti-phishing features and carrying out regular security audits to reduce exposure to scareware and remote access-based threats.
