Fake ChatGPT desktop client steals Chrome login data

Researchers are warning about an infostealer mimicking a ChatGPT Windows desktop client that’s capable of copying saved credentials from the Google Chrome login data folder.

ChatGPT has not released an official desktop client, but this bogus version looks remarkably similar to what one would expect.

Infostealer disguised as ChatGPT

The infostealer is being distributed via a zip archive carrying a file named ChatGPT For Windows Setup 1.0.0.exe.

During the installation process, the malware runs in the background and begins extracting Chrome login data using Havelock, a tool that extracts and decrypts accounts, cookies, and history from Chromium-based web browsers.

“The client connects to various domains such as http://api.telegram.org, http://facebook.com, http://lumtest.com (for querying geoIP location), http://graph.facebook.com (for getting data into and out of the Facebook platform), and http://api.aiforopen.com,” Trend Micro revealed.

The grabbed data is exfiltrated via Telegram.

The fake ChatGPT client creates an AutoStart entry in the registry to ensure that the infostealer runs every time the infected machine starts up. It also has the ability to hide its console window and to extract web session cookies via sqlite3. Its many dependencies point to additional capabilities.

Chrome users in the crosshairs

Attackers have lately been exploiting users’ desire for a ChatGPT desktop and mobile app to deliver different types of malware.

Trend Micro also found similarities between this malicious payload and a piece of malware dubbed DUCKTAIL, an infostealer designed to hijack Facebook Business accounts.

Users are advised to avoid downloading applications from untrusted or unauthorized sources. ChatGPT does not have an official desktop client or mobile app, which means that such claims or offers should be treated with caution.

Don't miss