A deceptive website has emerged, masquerading as the official download page for OpenAI’s ChatGPT, and is luring unsuspecting visitors into a trap laden with malware. This counterfeit site, openew[.]app, closely resembles the authentic ChatGPT download experience, presenting seemingly legitimate desktop applications for both Windows and macOS. However, the reality is far more sinister: Windows users are met with a credential-stealing malware loader, while Mac users encounter Odyssey Stealer, a variant of the notorious Atomic Stealer (AMOS), known for its association with cryptocurrency theft.
The operation’s dual-platform approach is particularly noteworthy. When users click the Windows download link, they receive a fake installer that establishes a back channel to an attacker-controlled server. Conversely, the macOS button leads to malware that pilfers browser passwords, cookies, Telegram sessions, cryptocurrency wallets, and other sensitive files. Additionally, it attempts to replace legitimate wallet applications like Ledger and Trezor with compromised versions.
Those who download ChatGPT exclusively from OpenAI’s official page or the Microsoft Store remain safe from this threat. However, individuals who searched for “ChatGPT download” and clicked on an ad or an unfamiliar link may have inadvertently granted attackers access to their online accounts, browser sessions, saved passwords, and potentially their cryptocurrency assets.
Malwarebytes offers protection against this malicious software.
Technical Analysis
The domain openew[.]app cleverly mimics OpenAI’s genuine ChatGPT download interface. It employs a dark theme, OpenAI-style branding, familiar marketing language, and prominently displayed download buttons for both macOS and Windows.
Utilizing the .app top-level domain, which is managed by Google and mandates HTTPS connections, the site presents the reassuring padlock icon that users associate with legitimate websites, devoid of any obvious certificate warnings.
What stands out is the operation’s dual-platform setup. Authentic software vendors typically provide distinct installers for Windows and macOS, and this counterfeit site mirrors that approach effectively.
Clicking the Windows button downloads Chat_GPT.exe, while the macOS button retrieves a disk image containing ChatGpt.dmg.
The Windows Malware
The Chat_GPT.exe file is constructed primarily from readily available components. The installer utilizes Inno Setup, a free open-source toolkit employed by numerous legitimate Windows applications. Inside, it contains an Electron application skeleton—the same framework used by popular apps like Slack and Discord—bundled with standard support libraries accessible from the Electron project.
Upon execution of the installer, it generates files under %APPDATA%LeronApplication, launches EApp.exe, and initiates PowerShell with specific flags. This method allows malicious instructions to be read from standard input, evading detection by scanners. Behavioral telemetry captured HTTP traffic directed to 188.137.246.189, revealing injection-like activities and persistence signals. At the time of analysis, nine out of 69 antivirus engines flagged the file as malicious. The persistence evidence suggests behavioral tradecraft rather than proof of a durable installation, indicating a familiar pattern of commodity stealer/dropper operations.
The macOS Malware: Odyssey Stealer (an AMOS Fork)
The macOS payload represents a more sophisticated tier of commodity malware. It is identified as Odyssey, a fork of the well-known AMOS, a malware-as-a-service platform documented since 2023.
The identification is straightforward. The sandboxed sample aligns with known Odyssey behavior patterns, which are inherited from its AMOS lineage: a lengthy AppleScript chain passed to the macOS scripting engine, a silent password validation attempt using macOS directory-service commands, and, if that silent check fails, a deceptive macOS-style prompt requesting the device password to proceed. Any input is validated against the command, capturing the user’s login password in cleartext.
Following this, the malware executes a familiar playbook, copying the macOS keychain, harvesting cookies and saved logins from various browsers, and extracting Telegram session data. It also scans multiple cryptocurrency wallet directories and searches for files with specific extensions. The gathered data is then compressed and transmitted to a hardcoded server.
The Wallet Replacement Feature is Especially Dangerous
Additionally, the macOS payload includes a particularly alarming feature. After the initial data theft, the script downloads trojanized versions of popular wallet applications from a second server, attempting to delete legitimate versions and replace them with the attackers’ versions. If the user’s password was previously captured, the script employs sudo to enforce the replacement. Otherwise, it resorts to a standard deletion attempt, which can succeed if the apps are installed in a user-writable location. Consequently, the next time the victim opens what seems to be their wallet software, they may inadvertently launch the attacker’s version.
What the Operation Cost to Build
The financial aspect of this operation reveals intriguing contrasts, particularly regarding the AI angle. The domain openew.app likely cost the operators around annually through a standard registrar. The requirement for HTTPS by default on the .app domain facilitates the presentation of a reassuring browser padlock, enhancing the site’s credibility.
The landing page itself is a mere replica of OpenAI’s genuine download page, easily produced by modern cloning tools within minutes. On the Windows side, most tools are either inexpensive or free. The overall setup for the Windows operation could plausibly be under 0.
In stark contrast, the macOS side incurs significantly higher costs. Renting Odyssey has been reported at approximately ,000 per month, paid in cryptocurrency. This price disparity indicates that the operators perceive a successful Mac infection as substantially more lucrative than a typical Windows infection, likely due to the targeted nature of cryptocurrency theft.
Why Attackers are Going After AI Brands
Established software typically has trusted download habits ingrained in users. However, AI tools are often new to users, leading them to rely on search results, ads, or social media to locate download pages. This creates an ideal environment for counterfeit sites.
In recent years, products like ChatGPT and others have rapidly evolved, resulting in waves of users searching for downloads without knowing the official URLs. This search traffic is precisely where attackers establish their presence.
Moreover, the simplicity of legitimate AI product pages—often featuring minimal design elements—means that counterfeit pages do not need to be overly sophisticated. The openew[.]app site aligns with user expectations, presenting familiar branding and a straightforward download button.
What enhances the durability of this operation is the ease with which it can rotate brands. When interest in one AI product wanes, the operators can simply adapt their infrastructure to the next trending AI offering, maintaining the same malware behind the scenes.
What AI Vendors Could Do
While major AI vendors like OpenAI already provide official download channels, challenges remain in visibility and user habits. Many users still resort to searching for “ChatGPT download,” leading to a mix of official links, unofficial mirrors, and malicious sites.
To combat this, AI vendors may need to adopt more aggressive brand-protection campaigns similar to those employed by large consumer brands and banks. Additionally, enhancing discoverability of official desktop-app links, which are often hidden in menus, could help mitigate the risks posed by counterfeit sites.
What to Do if You May Have Installed the Fake App
If you suspect you have installed software claiming to be ChatGPT from any source other than OpenAI’s official page or the Microsoft Store, consider taking the following steps from a clean device:
- Sign out of your important accounts using each service’s “sign out everywhere” option, including email, banking, cloud storage, and cryptocurrency exchanges.
- Change passwords, starting with your primary email account.
- Rotate any API keys, SSH keys, and cloud credentials stored on the affected machine.
- If you hold cryptocurrency, transfer funds immediately using a separate clean device, ensuring not to open any wallet applications on the compromised machine.
- Monitor bank accounts and payment cards for any suspicious activity.
- Reinstall the operating system, as the malware may have compromised sensitive information.
- If this was a work device, contact your IT or security team without delay.
Malwarebytes provides protection against this malware.
Indicators of Compromise (IOCs)
File hashes (SHA-256)
c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd634256fc53bf2de2d(Chat_GPT.exe)c0919e1999eaee67e67aeda0287722775afb04e9a9a0f727928b4d11265fb70b(ChatGpt.dmg)
Network indicators
openew[.]app188[.]137[.]246[.]189192[.]253[.]248[.]181172[.]94[.]9[.]250
