Malware disguised as ChatGPT

Checkpoint shared that within four months (January 2023 till April 2023), 13,296 new domains have been created related to ChatGPT or OpenAI, with one out of every 25 new domains being either malicious or potentially malicious.


Meta announced in the month of March and April 2023 they have blocked 1,000+ malicious links leveraging ChatGPT as a lure from being shared across technologies (including Facebook & WhatsApp).

Meta’s security team found 10 malware strains, including Ducktail and NodeStealer impersonating as ChatGPT and similar artificial intelligence tools in March. “As the world continues to embrace artificial intelligence’s ground breaking potential, cyber criminals target popular websites, social media, and the latest tools to exploit their popularity to steal users’ data and further attack their trusted connections,” said James McQuiggan, a security awareness advocate at KnowBe4. “As seen with cryptocurrency interest, the rapid increase of new technology creates a breeding ground for scams and malicious activities.”

Ducktail malware hijacked logged-in sessions, browser cookies, account information, location data, and two-factor authentication codes to compromise accounts and access Facebook ad accounts. Where Meta attributed the Ducktail malware to Vietnamese threat actors, who it served with cease-and-desist letters and reported to relevant law enforcement authorities.

Similarly, NodeStealer extracted saved login information to compromise online accounts such as Facebook, Gmail, and Outlook by targeting browsers on the Windows operating system. Meta started NodeStealer is custom written in JavaScript and bundles the Node.js environment. Meta have assessed the malware to be of Vietnamese origin and distributed by threat actors from Vietnam.

Meta believes its quick actions prevented hackers from victimising more users, as they discovered the NodeStealer malware strain within two weeks of it being deployed and helped victims recover their compromised accounts.

To counter such threats, Meta said it’s launching a new support tool that guides users to identify and remove malware, enable businesses to verify connected Business Manager accounts, and require additional authentication when accessing a credit line or changing business administrators.

ChatGPT Windows Desktop

There is also a warning about an info stealer mimicking a ChatGPT Windows Desktop client that’s capable of copying saved credentials from the Google Chrome login data folder. ChatGPT has not released an official desktop client, but this fake version looks remarkably similar to what one would expect.

The info stealer is being distributed via a zip archive carrying a file named ChatGPT For Windows Setup 1.0.0.exe. During the installation process, the malware runs in the background and begins extracting Chrome login data using Havelock, a tool that extracts and decrypts accounts, cookies, and history from Chromium-based web browsers.

Trend Micro revealed the client connects to various domains including Facebook and Google – getting data on location, usernames.

The fake ChatGPT client creates an AutoStart entry in the registry to ensure that the infostealer runs every time the infected machine starts up. It also can hide its console window and to extract web session cookies via sqlite3. Its many dependencies point to additional capabilities.

It is important to be vigilant as the generative AI space is rapidly evolving, and hackers and finding ways to exploit it.

Subscribe To Our Newsletter