Defending against AI-enhanced threats like Rilide requires a layered security approach. Rilide malware represents a new class of fin...
 |
| Defending against AI-enhanced threats like Rilide requires a layered security approach. |
Rilide, also known as LumaC2 and CookieGenesis, is a sophisticated piece of malware that targets Chromium-based browsers to hijack user activity and steal sensitive data. Discovered in 2023, Rilide operates by leveraging browser extensions to carry out its attacks. Rilide abuses its browser extension component to inject malicious scripts into web pages. In addition to its data exfiltration abilities, it also features advanced cryptocurrency theft capabilities, with two-factor authentication (2FA) manipulation for popular wallets and mail clients.
Man-in-the-browser
Since the beginning of 2025, the Trusteer research lab has seen more than 50,000 infected user sessions, indicating the scale of threat activity. Rilide has an ongoing worldwide campaign detected by the Trusteer lab attacking North America, South America, Europe and Japan. In this post, we will explore how Rilide operates within the browser through its extension and examine the techniques it uses to carry out its attacks, particularly its impact on financial platforms.
One such case of this incident was when Rilide malware was injected into a Microsoft PowerPoint, and an infected program was sent to Zendesk employees. The employees were informed to download it freely onto their computers. In reality, this was a fake PowerPoint that demonstrated how to download an extension infected with Rilide malware. A threat actor could use this information to steal passwords and access accounts, copy financial information for fraud, or collect company information accounts to gain access to download other forms of malware or ransomware.
Hijack email websites: It can make it seem like a reputable multi-factor authentication email has arrived to a user. Rilide will be able to monitor a user’s interaction with these emails to then send a threat actor the real MFA code, allowing them to gain access to an account without the user knowing.
Rilide’s capabilities highlight the shift in the threat landscape from traditional web injections using a single in-page JavaScript code to browser extensions. Browser extensions facilitate many functions that are quite challenging to achieve without them. The following analysis shows how powerful an extension is and why modern malware tends to use them.
The malware is most commonly delivered through carefully crafted phishing campaigns, malicious advertisements, or deceptive software updates that prompt users to install what appears to be a legitimate browser extension. Once deployed, Rilide integrates directly into the browser environment, granting it continuous access to active sessions, cookies, keystrokes, and form submissions. This positioning allows the malware to monitor banking activity in real time and exfiltrate credentials without disrupting the user experience.
What distinguishes Rilide from earlier banking trojans is its use of AI-assisted techniques to increase effectiveness and adaptability. The malware can dynamically analyze user behavior, browsing patterns, and transaction flows to determine the optimal timing for data theft or account manipulation. By learning how users interact with banking platforms, Rilide can adjust its web injections and authentication prompts to closely match legitimate interfaces, significantly reducing the likelihood of user suspicion.
Rilide also leverages machine-learning-driven content analysis to tailor attacks to specific financial institutions. By automatically identifying page structures, language patterns, and authentication workflows, the malware can generate highly convincing fake overlays or secondary verification requests. This capability enables attackers to scale campaigns across multiple banks and regions with minimal manual effort, increasing both reach and profitability.
From a technical standpoint, Rilide employs advanced evasion strategies. Its code is heavily obfuscated, frequently updated, and capable of altering its behavior to avoid detection by signature-based antivirus systems. Encrypted communication channels connect the malware to remote command-and-control infrastructure, where AI-supported decision logic can issue instructions based on live data collected from infected machines.
The emergence of Rilide underscores a broader transformation in cybercrime, where attackers increasingly rely on artificial intelligence to automate reconnaissance, personalization, and social engineering. Rather than exploiting a single vulnerability, Rilide attacks the human-browser-banking relationship itself, exploiting trust and familiarity as primary attack vectors.
Defending against AI-enhanced threats like Rilide requires a layered security approach. Financial institutions must strengthen behavioral analytics and real-time fraud detection to identify anomalies during authenticated sessions. Users, meanwhile, must exercise greater caution when installing browser extensions, remain alert to unexpected authentication requests, and rely on up-to-date security software capable of monitoring browser-level threats.
In summary, Rilide malware illustrates how artificial intelligence is reshaping the threat landscape for online banking. By combining stealthy browser integration with adaptive, AI-driven attack logic, Rilide poses a serious challenge to digital financial security and highlights the urgent need for more intelligent, proactive defense mechanisms in the era of AI-powered cybercrime.
