Malware Groups Use Fake ChatGPT Tools To Target Businesses, Meta Report Finds

From writing malware to setting honey traps, the (mis)usage of ChatGPT comes full circle.

Tech News
4 min read
Hindi Female

Hackers seem to be making the most out of the pandemonium around AI like ChatGPT.

In particular: Meta has discovered malware disguised as fake ChatGPT browser extensions, according to its latest threat report published on Wednesday, 3 May.

  • Ten different types of malware have been detected since March 2023, the report said.

  • The malware is being used to compromise business accounts on the internet.

  • In response, the big tech company has blocked and flagged over 1,000 malicious links.

Why it matters: From writing malware to setting honey traps, the misusage of ChatGPT by hackers has come full circle. Meta's quarterly threat reporting further shows how the mere hype around AI can be weaponised by malicious groups.

This article is a part of 'AI Told You So', a special series by The Quint that explores how Artificial Intelligence is changing our present and how it stands to shape our future. Click here to view the full collection of stories in the series.

  1. TL;DR: What's Ducktail?

    Besides the ChatGPT malware campaign, Meta has also identified another threat to online businesses called Ducktail. The Vietnamese malware is deployed using social engineering tactics on platforms such as:

    • LinkedIn

    • Google Chrome

    • Microsoft Edge

    • Brave

    • Firefox

    • Dropbox

    • Mega

    When Meta detected and terminated "stolen sessions," Ducktail operators began "automatically granting business admin permissions to requests for ad-related actions sent by attackers as an attempt to speed up their operations before we block them," the report said. 


The bait: "One of the campaigns we recently disrupted leveraged people’s interest in Open AI’s ChatGPT to lure them into installing malware," the report said.

  • The malicious extensions are hosted on the following platforms: Dropbox, Google Drive, Mega, MediaFire, Discord, Atlassian’s Trello, Microsoft OneDrive, and iCloud.

  • They are promoted using social media and sponsored search results.

  • And if Meta cracks down on them? "We’ve seen bad actors quickly pivot to other themes, including posing as Google Bard, TikTok marketing tools, pirated software and movies, and Windows utilities," the report added.

From writing malware to setting honey traps, the (mis)usage of ChatGPT comes full circle.

An example of malware hosted on a third-party website disguised as a ChatGPT download.

(Photo Courtesy: Meta Threat Report)

"Some of these campaigns, after we blocked malicious links to file-sharing and site hosting platforms, began targeting smaller services, such as Buy Me a Coffee – a service used by creators to accept support from their audiences – to host and deliver malware," Meta's threat report stated.

The switch: "To target businesses, malicious groups often first go after the personal accounts of people who manage or are connected to business pages and advertising accounts," the report said.

  • Once the malware has been deployed, it detects connections between the compromised account and business accounts.

  • "We often see threat actors attempt to use compromised accounts to add themselves as business admins to connected business Pages," the report added.

  • Ultimately, the aim is to run unauthorised ads via malware-infected business Pages.

  1. TL;DR: What's NodeStealer?

    From writing malware to setting honey traps, the (mis)usage of ChatGPT comes full circle.

    An example of NodeStealer malware icons.

    (Photo Courtesy: Meta Threat Report)

    Researchers at Meta also claimed to have stumbled upon NodeStealer, a malware that's never been reported before. Developed by Vietnamese threat groups, NodeStealer essentially hacks into your Facebook, Gmail, and Outlook accounts by stealing cookies, saved usernames and passwords, the report said.

    • Typically, NodeStealer samples pose as innocuous-looking PDF or XLSX files.

    • When successfully executed, the malware uses the auto-launch module on software developing platform Node.js such that it continues to operate even after the victim restarts the machine, Meta said in its report.

    • It then decrypts data stored on browsers such as Chrome, Opera, Microsoft Edge, and Brave. "The malware specifically targets user credentials for Facebook, Gmail, and Outlook," the report said.

    • "The stolen information then enables the threat actor to assess and then use users’ advertising accounts to run unauthorized ads," it added.

    In order to mitigate the NodeStealer threat, Meta said that it sent takedown requests to targeted platforms such as third-party domain name registrars like Namecheap. "We have not observed any new samples of malware in the NodeStealer family since February 27 of this year and continue monitoring for any potential future activity," it added.


Under the radar: It's hard to catch onto malware masquerading as ChatGPT productivity tools as they are capable of evading automated ad review systems and two-factor authentication, according to the report.

"In fact, some of these extensions did include working ChatGPT functionality alongside malware, likely to avoid suspicion from official web stores."
Meta's threat report

Next moves: Beefing up security for businesses on its platforms, Meta said that it would increase protection for sensitive accounts and allow for auditing of "people’s access through a new active or inactive status filter." A malware removal support tool and Meta Work Accounts is also reportedly in the pipeline.

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Speaking truth to power requires allies like you.
Become a Member
3 months
12 months
12 months
Check Member Benefits
Read More