Attackers weaponize AI brands to spread phishing and malware
Microsoft Threat Intelligence reported that threat actors are exploiting the popularity of AI platforms including ChatGPT, Claude, DeepSeek, and Flux Pro AI to drive phishing, malvertising, and malware delivery rather than compromising the vendors themselves. One ChatGPT-themed campaign, aimed largely at South African users, used payment-update emails and redirect chains through legitimate services to a compromised site that harvested personal and credit card data. A separate Claude-themed operation targeted more than 2,000 organizations and likely used adversary-in-the-middle techniques to steal Microsoft sign-in credentials and authentication tokens.
Microsoft also linked large-scale AI-themed malvertising to Storm-3075, which pushed fake AI plugin downloads and delivered malware including Vidar Stealer, Lumma Stealer, Hijack Loader, and Oyster, with parts of the chain tied to Fox Tempest malware-signing services. In another case, attackers created a fake DeepSeek V4 GitHub repository within hours of the model’s launch, using copied benchmark data, official-looking branding, SEO tactics, and rotating payloads to distribute Vidar and GhostSocks malware before GitHub removed the infrastructure. Microsoft said it revoked certificates, disrupted Fox Tempest infrastructure with partners, and coordinated takedowns, while urging defenders to strengthen MFA, conditional access, browser protections, and endpoint and email defenses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
ChatGPT-themed phishing campaign hits targets in South Africa
Microsoft described a ChatGPT-branded phishing campaign that sent 4,500 emails to targets in South Africa. The activity was linked to broader infrastructure capable of sending up to 100,000 emails in a single day to targets in Switzerland, Austria, and South Africa.
Fortinet reports AI-themed malware campaign delivering AsyncRAT
FortiGuard Labs disclosed a high-severity Windows malware campaign using AI-themed lures in compressed archives and malicious LNK files to deploy a staged infection chain ending in a modular .NET RAT and AsyncRAT. Fortinet said the malware used persistence, defense evasion, and command-and-control infrastructure including 107[.]172[.]10[.]190 and several lookalike domains, and that its security products detect or block the activity.
Claude-themed AiTM campaign targets 2,000+ organizations
Microsoft Threat Intelligence documented an early-2026 phishing campaign abusing Claude branding to conduct adversary-in-the-middle token theft. The operation targeted more than 2,000 organizations in the United States, United Kingdom, and India.
Microsoft and partners disrupt Fox Tempest infrastructure
Microsoft said it and partners disrupted infrastructure associated with Fox Tempest, a malware-signing-as-a-service operation tied to signed malware used in AI-themed malvertising chains. The disruption was noted as having occurred in May 2026.
Microsoft publishes report on AI-brand social engineering campaigns
On June 8, 2026, Microsoft published a report describing multiple 2026 campaigns abusing AI brands such as ChatGPT, Claude, DeepSeek, and Flux Pro AI for phishing, malvertising, and malware delivery. The company said the activity reflected abuse of brand names rather than compromise of the legitimate AI vendors.
GitHub removes malicious DeepSeek spoofing infrastructure
After the fake DeepSeek V4 campaign was identified, GitHub removed the malicious repository, organization, and user account used in the operation. Microsoft assessed the activity as part of a broader ecosystem that rebrands malware around trending AI products rather than a compromise of DeepSeek itself.
Fake DeepSeek V4 GitHub repo appears within hours of launch
On April 24, 2026, attackers created a fake GitHub repository impersonating DeepSeek V4 within hours of the model's launch and used it to distribute malware. Microsoft said victims began downloading the malware within four hours, and the payloads were linked to Vidar infostealer and GhostSocks proxy malware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Hackers are capitalizing on AI hype to ramp up social engineering attacks - and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victims | IT Pro
itpro.com
Open sourceThreat Actors Weaponize AI Hype to Deliver AsyncRAT | FortiGuard Labs
feeds.fortinet.com
Open sourceThreat Actors Abuse ChatGPT, Claude, and DeepSeek Brands as Phishing Lures to Steal Credentials
cybersecuritynews.com
Open sourceAI brands as bait: How threat actors are using the AI hype in social engineering - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceAI brands as bait: How threat actors are using the AI hype in social engineering | Microsoft Security Blog
microsoft.com
Open sourceOn April 24, 2026, within hours of the DeepSeek V4 launch, attackers had created a fake GitHub repository spoofing DeepSeek V4 to deliver malware. Within four hours, victims were downloading malware… | Microsoft Threat Intelligence
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-Enabled Phishing and Malware Delivery Trends
Security researchers and industry commentary describe a broader rise in **AI-assisted cybercrime**, with attackers using generative AI to improve phishing lures, clone legitimate login pages, and scale social-engineering operations. Reporting highlights that phishing remains a leading initial access vector, while **phishing-as-a-service** and AI-generated content are making campaigns more convincing and easier to produce at volume. IBM similarly warns that AI is acting as a force multiplier for attackers, lowering the cost of malware development and enabling more disposable, harder-to-attribute malicious tooling. Kaspersky documented active campaigns in which threat actors used **Google Search ads** and fake documentation pages to distribute the **AMOS** infostealer on macOS and **Amatera** on Windows, disguising the malware as popular AI tools including **OpenClaw**, **Claude Code**, and **Doubao**. By contrast, ZDNET's article focuses on the business and product-security shortcomings of Moltbook and OpenClaw acquisitions rather than a specific threat campaign, making it adjacent but not part of the same security event. The material overall is **not fluff** because it includes substantive threat reporting and technical security analysis, even though the references describe related developments rather than one discrete incident.
Mar 21, 2026
Malware Campaigns Leveraging AI Chat Platforms for Credential and Crypto Theft
Threat actors have launched sophisticated malware campaigns that exploit legitimate AI chat platforms, such as ChatGPT and Grok, to deliver malicious code to unsuspecting users. By using SEO poisoning and sponsored Google search results, attackers redirect users searching for common macOS troubleshooting tips to fake shared chat links on these AI platforms. These chats appear to offer helpful system instructions but actually embed obfuscated, base64-encoded commands that, when executed, install multi-stage malware. The infection process often involves social engineering tactics, such as prompting users to enter their system password under the guise of credential verification, which is then used to escalate privileges and deploy the main malware payload. Security researchers have identified the malware as variants of information stealers, including Shamus and AMOS, which are capable of stealing credentials and cryptocurrency, and employ advanced evasion techniques like multi-layered encoding and custom decoders to avoid detection. This attack method is particularly effective because it leverages the inherent trust users place in well-known AI brands and their official domains, bypassing traditional safety checks. The campaigns highlight a growing trend in cybercrime where legitimate AI tools are weaponized to facilitate malware delivery, making detection and prevention more challenging. Security analysts emphasize the need for increased vigilance when interacting with AI-generated content, especially when prompted to execute system commands, and recommend enhanced monitoring for suspicious activity originating from AI platform interactions.
Mar 21, 2026
AI and Open-Source Ecosystem Abused for Malware Delivery and Agent Manipulation
Multiple reports describe threat actors abusing *AI-adjacent* and open-source distribution channels to deliver malware or manipulate automated agents. Straiker STAR Labs reported a **SmartLoader** campaign that trojanized a legitimate-looking **Model Context Protocol (MCP)** server tied to *Oura* by cloning the project, fabricating GitHub credibility (fake forks/contributors), and getting the poisoned server listed in MCP registries; the payload ultimately deployed **StealC** to steal credentials and crypto-wallet data. Separately, researchers observed attackers using trusted platforms and SaaS reputations for delivery and monetization: a fake Android “antivirus” (*TrustBastion*) was hosted via **Hugging Face** repositories to distribute banking/credential-stealing malware, and Trend Micro documented spam/phishing that abused **Atlassian Jira Cloud** email reputation and **Keitaro TDS** redirects to funnel targets (including government/corporate users across multiple language groups) into investment scams and online casinos. In parallel, research highlights emerging risks where **AI agents and AI-enabled workflows become the target or the transport layer**. Check Point demonstrated “**AI as a proxy**,” where web-enabled assistants (e.g., *Grok*, *Microsoft Copilot*) can be coerced into acting as covert **C2 relays**, blending attacker traffic into commonly allowed enterprise destinations, and outlined a trajectory toward prompt-driven, adaptive malware behavior. OpenClaw featured in two distinct security developments: an OpenClaw advisory described a **log-poisoning / indirect prompt-injection** weakness (unsanitized WebSocket headers written to logs that may later be ingested as trusted context), while Hudson Rock reported an infostealer incident that exfiltrated sensitive **OpenClaw configuration artifacts** (e.g., `openclaw.json` tokens, `device.json` keys, and “memory/soul” files), signaling that infostealer operators are beginning to harvest AI-agent identities and automation secrets in addition to browser credentials.
Mar 21, 2026