A sophisticated fake website impersonating OpenAI’s official ChatGPT download page is actively infecting Windows and Mac users with dangerous malware. The site, openew[.]app, mimics the real download experience with identical branding and layout, tricking users searching for the desktop app.
The malicious site offers separate download buttons for Windows and macOS, making it appear legitimate. Windows users receive a fake installer that deploys a credential-stealing loader, while Mac users get Odyssey Stealer, a powerful fork of the Atomic Stealer (AMOS) malware family known for targeting cryptocurrency assets.
On Windows, the malware uses Inno Setup and Electron framework to blend in. It establishes a back channel to attacker servers, runs stealthy PowerShell commands, and steals passwords, browser data, and other sensitive information. The payload also sets up persistence mechanisms on the infected system.
The macOS version is more advanced. Odyssey Stealer uses AppleScript to harvest login passwords, browser cookies, Telegram sessions, and data from multiple cryptocurrency wallets. It scans for sensitive files and exfiltrates everything to a remote server after compression.
A particularly dangerous feature on Mac replaces legitimate Ledger and Trezor wallet apps with trojanized versions. Using captured passwords or direct deletion, the malware swaps real apps, allowing attackers to steal funds when victims next open their wallet software.
The operation shows clear economic targeting. The Windows payload is built cheaply from free tools, while the macOS stealer is rented for around $3,000 monthly in crypto. Operators believe Mac users are more likely to hold valuable digital assets worth the higher investment.
Attackers are increasingly exploiting AI tools because many users are downloading them for the first time and rely on search results. This creates perfect opportunities for fake sites, unlike established software with well-known official sources.
The fake domain uses a trusted .app extension with HTTPS, displaying the secure padlock icon. Traffic is driven through search ads, SEO poisoning, and social media sharing in AI communities.
If you installed ChatGPT from anywhere except OpenAI’s official page or Microsoft Store, take immediate action. Sign out of all accounts from a clean device, change passwords, rotate API keys, and move crypto funds. Reinstalling the operating system is strongly recommended.
This campaign highlights how attackers use AI hype for profit. By serving platform-specific malware from one convincing site, they maximize returns. As new AI products launch, similar threats are expected to rotate branding and continue exploiting unsuspecting users.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
