Imitators of CapCut are on the hunt

AndyC 24 April 2025

Online wrongdoers entice creators with assurances of state-of-the-art AI magic, only to endeavor to snatch their data or seize their devices instead

17 Apr 2025
 • 
,

CapCut copycats are on the prowl

Online wrongdoers entice creators with assurances of state-of-the-art AI magic, only to endeavor to snatch their data or seize their devices instead

17 Apr 2025
 • 
,
3 min. read

CapCut copycats are on the prowl

The frenzy encircling generative AI utilities isn’t just reforming sectors – it also presents conducive terrain for online malefactors, who are always swift to ride on the charm of the newest trend in tech. Imagine if, instead of acquiring an AI‑crafted video from CapCut or another akin tool, your data was filched or you unknowingly handed over control of your device to a stranger?

The danger is real – security experts have previously noticed campaigns that leveraged CapCut’s fame to propagate multiple infostealers and other forms of malware. Let’s now delve briefly into another campaign that’s aiming at individuals intrigued by AI-enhanced content by pledging premium variations of renowned software such as CapCut, Adobe Express, and Canva.

The strategy of the enticement

The instance below, spotted by X user g0njxa, exhibits a website that mimics CapCut, a tool frequently utilized by TikTok artists, and purports to be CapCut’s deluxe edition. (Note that the authentic deluxe edition is dubbed “CapCut Pro” or simply described as “Pro” on the website, not “CapCutProAI” as shown in the snapshot.)

Figure 1a. Fake CapCut site - homepage

Upon arriving on the fake site, you are prompted to input a command or upload a reference file. Should you comply, the website will feign processing the request.

Figure 1. Fake CapCut site

After the suspense builds up and the trap is set, you are coerced to download your gleaming new “creation”. Needless to say, the file, labeled Creation_Made_By_CapCut.mp4 – CapCut.com, is far from what it claims to be. In truth, it’s an executable for remote access software. Proceed a few clicks ahead and, unless other protections kick in, you may be relinquishing control of your device to malevolent individuals.

Figure 2. Fake CapCut site

Here are two more sites that pose as the legitimate deal and are part of the same campaign:

Figure 3. Fake Adobe Express site

Figure 4. Fake Canva site

Distant, yet near

For perspective, while legitimate remote access tools, such as ConnectWise ScreenConnect, TeamViewer, and AnyDesk, are invaluable for IT professionals offering technical support, in the wrong hands they can be abused to seize control of your computer for malicious motives. These encompass data thievery, installation of ransomware or other forms of malware, and utilizing the compromised device as a launch pad for incursions on other machines.

These types of hazards also loom large on corporate networks, as malevolent actors can, for instance, dispense portable, self-contained executables for legitimate remote monitoring and management (RMM) software that bypass admin privileges and bypass the necessity for full software installation.

“Most remote control applications come with the option to generate a preconfigured executable to connect to a specific IP address or user. This is useful for remote assistance, but also for attackers. The victim simply has to open the file, and in a couple of clicks, they may unwittingly give control of their computer to a cybercriminal,” says Martina López, a security researcher with ESET’s lab in Latin America.

Advice worth noting

A few uncomplicated measures will significantly contribute toward ensuring your safety:

  • When downloading new software, ensure to retrieve it from the authorized source, usually the developer’s official website
  • Avoid clicking on unsolicited links in email or social messages that often claim to route to such sites – the messages may be deceitful
  • The same applies to advertisements – it’s safer to directly navigate to the website by typing it in your browser or searching for it (judiciously, though) in your preferred search engine
  • Inspect the URL of the website – software developers typically don’t wield various quirky extensions in URLs or dubious “alternative” versions (think “CapCutProAI”)
  • Ensure your operating system, browser, and other software are up to date to guard against known vulnerabilities
  • Employ multi-layered security software, and adhere to other fundamental cybersecurity practices, like robust and unique passwords and activating two-factor authentication on all your online accounts

Needless to say, this isn’t the premier nor the final instance of CapCut users falling prey to online crooks, and these instances merely demonstrate that malefactors are always ready to exploit confidence and the latest trend in tech.

The promising aspect is that whereas these schemes are frequently sophisticated, they are not impregnable. Your alertness is your optimum defense against the stratagems of fraudsters.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

AndyC 19 December 2025
ESET Threat Report H2 2025

ESET Threat Report H2 2025

AndyC 17 December 2025
Black Hat Europe 2025: Was that device designed to be on the internet at all?

Black Hat Europe 2025: Was that device designed to be on the internet at all?

AndyC 16 December 2025
Black Hat Europe 2025: Was that device designed to be on the internet at all?

Black Hat Europe 2025: Was that device designed to be on the internet at all?

AndyC 16 December 2025
Black Hat Europe 2025: Was that device designed to be on the internet at all?

Black Hat Europe 2025: Was that device designed to be on the internet at all?

AndyC 16 December 2025
Black Hat Europe 2025: Was that device designed to be on the internet at all?

Black Hat Europe 2025: Was that device designed to be on the internet at all?

AndyC 16 December 2025

You may have missed

Surge of OAuth Device Code Phishing Attacks Targets M365 Accounts

Russia was behind a destructive cyber attack on a water utility in 2024, Denmark says

AndyC 20 December 2025
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025

Microsoft 365 accounts targeted in wave of OAuth phishing attacks

AndyC 20 December 2025
State-linked and criminal hackers use device code phishing against M365 users

State-linked and criminal hackers use device code phishing against M365 users

AndyC 20 December 2025
Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.