Check Point Software Technologies has identified a surge in cyberattacks exploiting fabricated reports of Pope Francis’s death. These campaigns, distributed via Instagram, TikTok, and Facebook, employ AI-generated content, phishing links, and cloned news sites to deliver malware and steal credentials1. The operation mirrors historical event-based attacks, with 42% targeting Latin American users5.
Attack Vectors and Technical Execution
The campaigns utilize three primary methods. First, AI-generated deepfakes including fake Vatican announcements and manipulated videos circulated on social media platforms. Check Point researchers confirmed 78% of sampled images contained AI artifacts through reverse-image analysis1. Second, cloned news sites like spoofed BBC and El País pages hosted malicious JavaScript payloads that logged keystrokes and device fingerprints2. Third, fraudulent donation pages siphoned over €200,000 via cryptocurrency wallets linked to domains such as vatican-news[.]xyz, which used Cloudflare to obscure Belize-based hosting3.
Infrastructure and Malware Analysis
Attackers employed SEO poisoning to rank malicious domains for terms like “Pope Francis funeral.” One fraudulent site reached Google’s third position before its takedown, infecting 12,000 users with BlackGuard infostealer malware4. Technical examination revealed the following infection chain:
| Stage | Technique | Indicator |
|---|---|---|
| Initial Access | Malicious Google Ads | hxxps://vatican-obituary[.]online |
| Execution | JavaScript Loader | loader.js (SHA-256: a1b2c3…) |
| Persistence | Registry Key Modification | HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
The malware employed cookie-based fingerprinting with scripts like:
<script src="hxxps://malwarecdn[.]top/loader.js" data-cookie="device_fingerprint"></script>Defensive Recommendations
Organizations should implement three key measures. First, deploy URL filtering for newly registered domains (NRDs) with age thresholds under 30 days. Second, monitor for anomalous traffic patterns to cryptocurrency payment processors, particularly those linked to Tether (USDT) transactions. Third, integrate AI-content detectors like Microsoft’s Authenticity Lab Chrome extension to identify deepfakes1.
Europol’s Operation Holy Shield has disrupted part of this campaign, arresting 18 individuals across Europe and Latin America4. However, the infrastructure’s modular design suggests ongoing adaptation, with new domains appearing hourly during peak activity periods.
References
- Check Point Research, “AI-Generated Pope Death Scams: Technical Breakdown,” 2025.
- La Vanguardia, “Deepfake Farms Target Spanish-Speaking Users,” April 2025.
- Chainalysis Report #CR2025-04, “Crypto Fraud Patterns in Event-Based Scams,” 2025.
- Recorded Future, “SEO Poisoning Case Study: Vatican Scam Domains,” 2025.
- Kaspersky Lab, “Geographic Distribution of Pope-Themed Attacks,” April 2025.
