This technical blog examines a malicious campaign in which attackers impersonated OpenAI’s ChatGPT download experience through the domain openew.app. The operation used convincing branding, a cloned user interface, HTTPS protection, and platform-specific malware delivery mechanisms targeting both Windows and macOS users. The campaign demonstrates how threat actors increasingly exploit the popularity of AI platforms to distribute credential stealers, cryptocurrency-focused malware, and session hijacking tools. Rather than relying on sophisticated exploitation techniques, the attackers focused on social engineering, search visibility, brand impersonation, and modular malware infrastructure. The result is a highly scalable operation capable of harvesting credentials, browser data, cryptocurrency wallet information, and authentication sessions from unsuspecting victims.

How the Fake ChatGPT Website Operated
The fraudulent website closely mirrored the appearance of OpenAI’s legitimate ChatGPT download page. By using a modern design, familiar branding, and separate download options for Windows and macOS, the operators recreated the exact user experience visitors expect from a software vendor. The use of a .app domain further increased credibility because browsers displayed HTTPS indicators and valid certificate information. The campaign illustrates a broader cybersecurity challenge: users often rely on search results, advertisements, and social media recommendations rather than navigating directly to official vendor websites. Attackers leveraged this behavior to position a malicious distribution point that appeared trustworthy while silently delivering malware tailored to the visitor’s operating system.

Windows Payload Analysis
The Windows payload, distributed as Chat_GPT.exe, relied heavily on publicly available software components including Inno Setup and Electron. These frameworks are widely used by legitimate applications, making malicious activity more difficult to identify through superficial inspection. After execution, the installer created files within user application directories, launched additional processes, and executed PowerShell commands designed to avoid leaving obvious traces on disk. Network telemetry indicated communication with attacker-controlled infrastructure and behavior consistent with commodity credential theft operations. While the malware itself was not technically groundbreaking, its modular architecture and low deployment cost made it highly effective. This reflects a common trend in modern cybercrime where operators prioritize reliability, scalability, and monetization rather than advanced technical innovation.

macOS Payload Analysis: Odyssey Stealer
The macOS branch of the campaign delivered Odyssey Stealer, a malware family associated with the AMOS ecosystem. Odyssey focuses heavily on credential theft, browser data collection, cryptocurrency wallet harvesting, and user authentication compromise. Analysis revealed AppleScript-driven execution chains, password validation mechanisms, and convincing macOS-style prompts designed to capture user credentials. Once successful, the malware extracted browser cookies, saved passwords, keychain data, messaging application sessions, and wallet-related information. It targeted multiple Chromium-based browsers, Firefox variants, Telegram sessions, and numerous cryptocurrency applications. The collected information was compressed and transmitted to attacker-controlled servers, providing threat actors with immediate access to valuable digital assets and authentication artifacts.

Cryptocurrency Theft and Wallet Replacement
The most concerning component of the operation was the wallet replacement functionality. Beyond stealing data, the malware attempted to replace legitimate cryptocurrency wallet applications with trojanized versions. By targeting applications such as Ledger Live and Trezor Suite, attackers positioned themselves to intercept future wallet activity even after the initial compromise. If administrative credentials were successfully captured, the malware leveraged elevated privileges to force replacement of existing applications. This capability significantly increases the financial impact of the attack because it extends persistence beyond the initial infection and directly targets high-value cryptocurrency assets.

Economics of the Campaign
The operation highlights the economics of modern cybercrime. Infrastructure costs were relatively low, consisting of a domain registration, cloned website, hosting services, and commodity malware tooling. However, the macOS component represented a significantly larger investment due to the commercial nature of Odyssey malware. This difference reflects attacker expectations regarding return on investment. Cybercriminal groups increasingly view cryptocurrency-focused macOS infections as highly profitable targets. By combining low-cost distribution mechanisms with premium malware subscriptions, operators create a scalable business model capable of generating substantial returns from a relatively small number of successful compromises.

Why AI Brands Are Attractive Targets
The rapid adoption of AI products has created ideal conditions for impersonation campaigns. Many users are downloading AI applications for the first time and may not know official distribution channels. Search engine optimization abuse, malicious advertising, cloned websites, and social media promotion provide attackers with efficient methods for reaching victims. Unlike mature software ecosystems where users often recognize official download sources, AI platforms continue to experience large volumes of first-time traffic. Threat actors exploit this uncertainty by creating convincing replicas that require minimal effort to maintain and can easily be rebranded for future AI products.

Incident Response and Recovery Guidance
Organizations and individual users who suspect installation of a malicious application should immediately begin incident response activities. Critical actions include signing out of active sessions, changing passwords, rotating API credentials, reviewing cloud access tokens, monitoring financial accounts, and migrating cryptocurrency assets using a separate trusted device. Because credential theft and session hijacking may already have occurred, relying solely on password changes may be insufficient. A complete operating system reinstallation remains the most reliable remediation strategy, particularly when malware has obtained administrative privileges or captured system authentication credentials.

Our Opinion on the Case
This campaign is a powerful example of how cybercriminals are adapting faster than many users and organizations. The malware itself is not the most important aspect of the incident. What truly stands out is the efficiency of the delivery ecosystem. Attackers combined domain registration, website cloning, malware-as-a-service offerings, cryptocurrency-focused monetization, and social engineering into a streamlined business process. The operation demonstrates that cybercrime increasingly resembles a commercial industry where infrastructure, malware, hosting, traffic acquisition, and data monetization can all be purchased as services. The use of AI branding is particularly significant because it exploits trust, curiosity, and the rapid growth of emerging technologies. As AI adoption continues to accelerate, users will encounter more impersonation campaigns that look legitimate and operate professionally. In our view, AI vendors must invest more aggressively in brand protection, search visibility, and user education. Security awareness alone is no longer enough. Organizations should implement application allow-listing, endpoint monitoring, identity protection controls, and credential hygiene programs. The long-term lesson is clear: attackers are not simply targeting software users; they are targeting user behavior. The most effective defense will come from reducing opportunities for deception while strengthening technical controls that limit damage when social engineering inevitably succeeds.