GPT-Scam: Malvertisers Exploit AI Craze

What happened: Attackers purchased Google sponsored ads targeting "ChatGPT desktop app" and "ChatGPT download," funneling users through a legitimate-looking ChatGPT share page displaying a fake outage notice before redirecting to a malicious download portal.

Attack Chain

MALVERTISING (Sponsored Ads) ❯ Attackers buy Google ads for “ChatGPT download” and similar high-traffic terms.  

FAKE OUTAGE PAGE (Trusted Domain Abuse) ❯ Ad clicks lead to a real chatgpt.com page showing a fake high traffic outage notice, because it’s a legitimate domain, security filters allow it.  

REDIRECT TO FAKE DOWNLOAD SITE ❯ Users are sent to openew[.]app, a spoofed OpenAI download page using cloaking to evade detection.  

MALICIOUS INSTALLER DELIVERY ❯ Victims download fake apps: Windows: Chat_GPT.exe, macOS: ChatGpt.dmg  

MALWARE EXECUTION ❯ Windows: PowerShell runs fileless commands from memory, macOS: Stealer uses AppleScript to grab passwords, cookies, Telegram data, and crypto wallets.

Affected platforms: Windows, macOS

Malware delivered: Windows: credential stealing loader, macOS: Odyssey Stealer (Atomic Stealer fork) which targets passwords, browser cookies, crypto wallets, and Telegram sessions

Attribution: None confirmed

Response status: Multiple security vendors have flagged the infrastructure. No patches can fully prevent this class of abuse as it exploits a design feature, not a software vulnerability.

Key Findings

Indicators of Compromise

Why this matters

• Attackers host their lure on OpenAI's own chatgpt.com domain, bypassing URL-reputation checks and corporate firewalls that would catch a conventional phishing page.
• ‍Cross-platform payloads are delivered simultaneously, broadening the potential victim pool across both Windows and macOS users.
• ‍The technique exploits a design feature of ChatGPT's shared-link system, not a software vulnerability, no patch can fully close this attack surface.
• ‍Corporate allow-lists for AI productivity tools silently pass chatgpt.com traffic, which attackers are exploiting as a trusted bypass.
• ‍Abuse of ChatGPT share links represents a new trust-boundary problem. Because the initial lure lands on OpenAI's legitimate domain, it defeats URL-reputation filters, perimeter firewalls, and user vigilance that would ordinarily stop a phishing attempt.
• ‍Traditional URL filtering is being undermined by attacker abuse of trusted SaaS domains. As organizations add AI tools to corporate allow-lists, attackers will continue using those same domains as staging infrastructure.
• ‍Security awareness training must now explicitly cover AI platform abuse scenarios. Users need to understand that a legitimate-looking domain can host malicious redirect content, and that paid search placements carry no security guarantee.

Mitigations For Users and Organizations

For individual users:

• Never download software from sponsored search results. Sponsored results can be purchased by anyone, including attackers. Always navigate directly to the official OpenAI website at chatgpt.com/download or use the Microsoft Store.
• ‍Verify the URL before downloading. The official ChatGPT download page is at chatgpt.com/download. The malicious domain openew[.]app is designed to visually mimic this page.
• ‍Check the URL of any ChatGPT share link. Legitimate share links begin with chatgpt.com/s/ but attackers can host malicious content there. If the page shows a non-standard message (such as an outage notice), be suspicious.
• ‍Run updated antivirus software. Nine of 69 antivirus engines flagged the Windows payload at the time of analysis, meaning some AV products may miss it. Behavioral detection and EDR are recommended.

For security teams:

• Block known malicious infrastructure. Add openew[.]app and IP 144.172.104.205 to blocklists.
• ‍Monitor for the file hashes. Add the SHA256 hashes for Windows and macOS payloads to detection rules (Check under Key Findings in this Newsletter).
• ‍Consider restricting ChatGPT share links in corporate environments. While there is not a complete solution, policy-based filtering of chatgpt.com/s/ URLs may reduce exposure.
• ‍Educate users about this specific attack pattern. Users should understand that sponsored search results can be malicious, and that legitimate domains like chatgpt.com can host deceptive content.

‍