Hackers are using ChatGPT, Claude, and DeepSeek brands to steal credentials and payment data

Threat actors are abusing trusted AI brands, including ChatGPT, Claude, DeepSeek, and Microsoft Copilot, in phishing, malvertising, and malware campaigns designed to steal credentials, credit card data, and authentication tokens.

The campaigns do not show that the AI services themselves were breached. Instead, attackers are using familiar names and logos as social engineering lures, according to a Microsoft Threat Intelligence report published on June 8, 2026.

Microsoft said the campaigns rely on older attack methods, including urgent account warnings, fake payment pages, malicious downloads, PDF lures, redirect chains, and fake verification screens. The difference is the branding. Attackers are now wrapping these methods in AI names that users recognize and trust.

AI brands are becoming phishing bait

AI tools have become part of daily work for many users and companies. That gives attackers a larger pool of targets who may respond quickly to account warnings, fake subscription notices, or download offers that appear to come from a popular AI platform.

Microsoft observed attacks that impersonated ChatGPT, Claude, DeepSeek, Microsoft Copilot, Flux Pro AI, and other AI-related brands. These campaigns used email, search results, GitHub repositories, malicious popups, and fake installers to push victims toward phishing pages or malware.

The same Microsoft security research also warned that attackers are using legitimate services in their redirect chains. This helps them hide malicious destinations behind trusted infrastructure and makes some links harder to detect at first glance.

Brand used as lure	Attack type	Main risk
ChatGPT	Fake subscription payment update	Credit card and personal data theft
Claude	Fake account appeal email with PDF attachment	Credential theft and access token theft
DeepSeek	Fake GitHub repository and installer	Vidar infostealer infection
Flux Pro AI-style lures	Malvertising and fake Windows plugin downloads	Malware delivery through signed executables

ChatGPT phishing emails targeted payment data

One ChatGPT-themed campaign detected on May 5, 2026 sent about 4,500 phishing emails, mostly to targets in South Africa. The email claimed that the recipient’s ChatGPT Plus subscription would be downgraded unless they updated their payment method within seven days.

The email used the ChatGPT name and logo and included an update button. However, the button did not lead directly to the phishing site. Victims first passed through a legitimate CRM service, an Amazon tracking domain, and a URL shortener before landing on a compromised website hosting a fake ChatGPT payment page.

The landing page first displayed a simple CAPTCHA-style step. It then collected the victim’s name, address, credit card number, expiration date, and card verification code across multiple pages.

• The email used payment urgency to pressure users into clicking.
• The redirect chain abused trusted services to reduce suspicion.
• The phishing page collected both personal and financial information.
• Microsoft also saw a broader version of the campaign sending up to 100,000 emails in one day.

Claude-themed phishing tried to steal account tokens

Another campaign ran from April 20 to April 22, 2026 and impersonated Anthropic’s Claude service. Microsoft said it targeted users across more than 2,000 organizations, mainly in the United States, the United Kingdom, and India.

The emails claimed that the recipient’s account had violated usage policies and required an appeal. The attackers used sender display names such as Anthropic Teams and Anthropic PBC, while the subject lines referenced a Claude appeal request.

The message included a PDF attachment named Fill and Sign Claude Appeal Form.pdf. The PDF directed users to an attacker-controlled domain, where fake verification screens and branded landing pages pushed victims toward a likely Microsoft sign-in page designed for adversary-in-the-middle token theft.

Campaign	Observed date	Targets	Observed goal
ChatGPT payment lure	May 5, 2026	Mostly South Africa	Steal credit card and personal data
Claude appeal lure	April 20 to 22, 2026	More than 2,000 organizations	Steal credentials and access tokens
Awesome AI Windows Plugin	At least early 2026	Global, mostly consumer endpoints	Deliver Vidar infostealer
Fake DeepSeek V4 installer	April 24, 2026 onward	Users searching for DeepSeek V4 downloads	Deliver Vidar through fake GitHub releases

Fake AI installers pushed Vidar malware

Microsoft also detailed AI-themed malvertising that used names such as Awesome AI Windows Plugin and Flux Pro AI to trick users into downloading malware. The activity is linked to Storm-3075, a malware distributor and initial access broker.

One campaign on March 13, 2026 targeted more than 66,000 devices. The attack likely began on free movie streaming sites, where users encountered popups promoting a fake AI Windows plugin for watching videos.

The downloaded file was named ProFluxeFlowAi-win-Setup.exe. Microsoft said the executable was hosted on GitHub and signed with a fraudulently obtained Microsoft-issued code-signing certificate connected to Fox Tempest, a malware-signing-as-a-service operation.

After launch, the malware displayed a Continue prompt before running its malicious code. Once the user clicked it, the executable dropped a Python-based downloader that fetched Vidar infostealer from attacker-controlled infrastructure.

DeepSeek search results led users to malware

Attackers also moved quickly after DeepSeek previewed its V4 model in April 2026. Microsoft found a fake GitHub organization named DeepSeek-V4 that hosted a fake repository and release assets designed to look convincing.

The repository used stolen DeepSeek branding, benchmark data, download-focused tags, and an llms.txt file designed for AI-assisted search discovery. Microsoft said search engines amplified the repository’s reach because DeepSeek had not published an official V4 GitHub repository.

The fake release page hosted 7z archives such as deepseek-v4-pro_x64.7z and deepseek-v4-flash_x64.7z. These archives contained a Windows executable that masqueraded as a DeepSeek installer and installed Vidar stealer.

• The fake DeepSeek repository accumulated 91 stars and 27 forks within four days.
• The attacker rotated archive hashes multiple times across three days.
• Search results helped expose users to the fake repository.
• The same loader hash also appeared in lures impersonating GPT-5.5, Claude Code, Kimi, Gemma, GrokCLI, and other AI-related names.

How organizations can reduce exposure

Organizations should treat AI-branded phishing as a normal part of the threat landscape, not a temporary trend. Attackers follow user attention, and AI tools now have enough brand recognition to make fake warnings and downloads look credible.

Microsoft recommends enforcing multifactor authentication on all accounts. The company’s MFA registration guidance says multifactor authentication adds a second layer of security to sign-ins by requiring more than a username and password.

Security teams should also use email and URL protection tools that scan links before and during clicks. Microsoft’s Safe Links documentation explains that Safe Links provides URL scanning and time-of-click verification for links in email, Microsoft Teams, and supported Office apps.

Defensive step	Why it helps
Require MFA for all users	Stolen passwords alone become less useful to attackers.
Use phishing-resistant MFA for privileged accounts	It reduces the risk of token and credential theft leading to admin compromise.
Scan URLs at click time	It helps block links that become malicious after delivery.
Block suspicious downloads	It reduces exposure to fake installers and infostealers.
Train users to verify AI account alerts directly	It helps users avoid fake payment, policy, and download notices.

Users should verify AI messages directly

Users should avoid clicking account warning links in unexpected emails, even when the branding looks real. The safest approach is to open the AI service directly in the browser or app and check billing, policy, or security alerts from the official account area.

Companies should also review logs for the indicators Microsoft published, including suspicious PDF attachments, attacker-controlled domains, Vidar-related hashes, and fake GitHub release URLs tied to AI-themed lures.

Browsers and endpoint protection can also help stop these attacks before a user reaches the final phishing page or downloads malware. Microsoft’s Defender SmartScreen documentation says SmartScreen helps identify reported phishing and malware websites and can warn users before they proceed.

• Do not download AI installers from random GitHub repositories or search ads.
• Do not trust urgent payment or account suspension emails without checking the official website.
• Report suspicious AI-branded emails to the security team.
• Review endpoints for unexpected Vidar detections or suspicious Python downloader activity.
• Rotate passwords and revoke sessions if credentials or tokens may have been entered on a fake page.

The main lesson is simple: attackers do not need to break into AI platforms to profit from their popularity. They only need users to trust a logo, click a link, and enter sensitive data on a convincing fake page.

Security teams should combine user training, multifactor authentication policies, link scanning through tools such as Microsoft Defender for Office 365 Safe Links, and browser protections such as Microsoft Defender SmartScreen to reduce the risk from AI-branded phishing and malware campaigns.

FAQ