Threat
Ilya Kabanov

Threat actors are using AI brands as bait in social engineering

TL;DR: A counterfeit DeepSeek V4 repo outranked the real source on GitHub, Bing, and Google within four days, then served the Vidar infostealer. A separate malvertising run pushed a fraudulently Microsoft-signed AI installer to 66,000 devices.

Microsoft revealed how threat actors are using AI brands as bait in social engineering.

They documented four real campaigns where attackers impersonated ChatGPT, Claude, DeepSeek, and other AI brands to steal credentials, payment data, and drop infostealers. The bait is the AI brand itself.

Highlights:

  • Main delivery methods - phishing, malvertising, and search engine poisoning.
  • ChatGPT payment phishing: fake emails warning that your ChatGPT Plus account would drop to the free plan unless you updated your payment method pushed victims through trusted redirect chains to a form that harvested full credit card details. One wave reached 100,000 inboxes across Switzerland, Austria, and South Africa.
  • Claude phishing: emails posing as Anthropic sent fake Claude Appeal forms to more than 2,000 organizations. Cloudflare-gated redirects likely funneled victims to a Microsoft sign-in page for adversary-in-the-middle token theft.
  • Search poisoning with a simple technique. SEO tags, an llms[.]txt in a repo with counterfeit DeepSeek V4 and inflated stars and forks did the job. Within four days it ranked first on GitHub, Bing, and Google, above the official source, and delivered the Vidar infostealer.
  • Flux Pro malvertising: a single-day campaign hit 66,000 devices with a fake Flux Pro AI installer signed with a fraudulent Microsoft certificate rented from the Fox Tempest signing service.
  • One shared loader was seen impersonating GPT-5.5, Claude Code, Kimi, Manus AI, Gemma, GrokCLI, and FraudGPT. Microsoft calls it a larger rotating fake-AI ecosystem.
Fake Anthropic email pushing a Claude appeal attachment. Source: Microsoft.
Fake Anthropic email pushing a Claude appeal attachment. Source: Microsoft.
Counterfeit DeepSeek V4 repo with SEO tags and 91 stars in 4 days. Source: Microsoft.
Counterfeit DeepSeek V4 repo with SEO tags and 91 stars in 4 days. Source: Microsoft.
Fake DeepSeek V4 release with 102 MB malware archives rotated 3x in 3 days. Source: Microsoft.
Fake DeepSeek V4 release with 102 MB malware archives rotated 3x in 3 days. Source: Microsoft.

My take:

  1. The hype does the social engineering. People click links in ChatGPT- or Claude-branded phishing emails as AI has made those emails believable.
  2. AI-assisted search poisoning is spreading. Google flagged similar tactics earlier in its Common Crawl scan.
  3. The velocity of changes in the current AI era is an enabler. The attacker released the repo within hours of the V4 preview.
  4. CAPTCHA gating evades automated analysis and sandbox detonation.

Sources:

AI brands as bait: how threat actors are using the AI hype in social engineering (Microsoft)