Numero
Numero is a destructive Windows malware family identified by Cisco Talos and distributed as a fake installer for InVideo AI. It was observed in AI-themed malware campaigns that abused SEO poisoning, fake websites, Telegram, and social media messengers to lure victims searching for popular AI tools. In the documented campaign, the malicious installer impersonated InVideo AI in file metadata and dropped a batch file, a VB script, and the main Numero payload, wintitle.exe, into the local user profile temporary application folder. The batch file launched Numero in an infinite loop, pausing for 60 seconds via cscript running the VB script, terminating the process, and restarting it to ensure continuous execution. Numero is a 32-bit Windows executable written in C++ and reportedly compiled on 2025-01-24. Its primary behavior is destructive manipulation of the Windows graphical user interface: it uses GetDesktopWindow, EnumChildWindows, and SendMessageW to continuously overwrite desktop child window titles, buttons, and contents with the numeric string "1234567890," ultimately rendering the system unusable. The malware also checks for analysis and debugging tools including IDA, x64dbg, x32dbg, OllyDbg, Scylla, WinDbg, ResHacker, ImportREC, Immunity Debugger, Zeta Debugger, and Rock Debugger. High-confidence indicators and artifacts mentioned in the reporting include the payload name wintitle.exe, the repeated numeric string 1234567890 written into GUI elements, and its use as a fake InVideo AI installer. Reporting places Numero alongside other fake AI-tool malware such as CyberLock and Lucky_Gh0$t, with particular risk noted for users and organizations in B2B sales, technology, and marketing sectors that commonly seek such tools.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers, including SEO-poisoning tactics to manipulate search engine rankings and cause their malicious websites or download links to appear at the top of search engine results.
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
The fake installer is a dropper containing a malicious Windows batch file... Then it executes the dropped Windows batch file through Windows shell in an infinite loop.
Stealth
2 techniques
Stealth
Discovery
1 technique
Discovery
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Destructive Windows malware delivered via a fake InVideo AI installer; overwrites GUI elements and renders the OS unusable.
Newly referenced malware distributed via fake AI tool installers (details not provided in the excerpt).
Destructive Windows malware disguised as an InVideo AI installer. It is dropped with batch and VBScript components, runs persistently in an infinite loop, checks for analysis tools, and continuously manipulates desktop child windows to overwrite titles, buttons, and contents with '1234567890', rendering the system unusable.
Destructive malware distributed via fake AI tool installers, capable of damaging or wiping files on infected systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.