AI brands as bait: How threat actors are using the AI hype in social engineering
Threat actors are exploiting the global interest in AI by impersonating popular AI platforms such as ChatGPT, Copilot, DeepSeek, and Claude in social engineering campaigns. These campaigns use phishing, malvertising, and SEO tactics to steal credentials, commit financial fraud, or distribute malware like the Vidar stealer. Notable activities include ChatGPT-themed phishing targeting South Africa, Claude-themed adversary-in-the-middle attacks, and fake AI plugin downloads spreading malware. The initial access broker Storm-3075 and malware-signing service Fox Tempest are involved in these operations. These attacks combine traditional social engineering with AI branding to increase effectiveness.
AI Analysis
Technical Summary
This threat involves multiple social engineering campaigns leveraging AI branding to deceive victims. Attackers impersonate well-known AI platforms to conduct phishing attacks that collect credit card data, adversary-in-the-middle attacks harvesting credentials and access tokens, and malvertising campaigns distributing malware such as Vidar stealer via fake AI plugins. Fraudulent installers for AI tools like DeepSeek V4 have been distributed on GitHub. The initial access broker Storm-3075 uses AI-themed malvertising, while Fox Tempest provides malware-signing-as-a-service to make payloads appear legitimate. These campaigns exploit the AI hype to increase victim trust and success rates in credential theft, financial fraud, and malware infection.
Potential Impact
The campaigns result in credential theft, financial fraud, and malware infections including the Vidar stealer. Victims may suffer unauthorized access to accounts, financial losses, and compromised systems. The use of AI branding increases the likelihood of successful social engineering, expanding the attack surface. Specific targeting includes regions such as South Africa for ChatGPT-themed phishing. The involvement of malware-signing services enhances the legitimacy of malicious payloads, complicating detection.
Mitigation Recommendations
Patch status is not applicable as this is a social engineering threat without a software vulnerability. Organizations should educate users about AI-themed phishing and malvertising campaigns and verify the authenticity of AI-related communications and downloads. Blocking known malicious domains and URLs listed in the indicators can reduce exposure. Monitor for suspicious activity related to credential theft and malware infections. No official fix or patch exists; mitigation relies on user awareness and network defenses.
Indicators of Compromise
- domain: brokeapt.com
- domain: pan.rongtv.xyz
- domain: pan.ssffaa19.xyz
- hash: 4f5c5b3ef45cfff7721754487a86aeff9a2e6e32
- hash: 0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531
- hash: 25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a
- hash: 5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80
- hash: 56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23
- hash: 791efb555eefb7215e96659a1353a97416743b66bdd72705493129c64057d40e
- hash: 8610d4fb0ec5b525071c2aaec4df0f8fcbb3673aba58a7e1959fc44e83c0e2ca
- hash: 99231deb373997364381d1eb513d2d42231d418c3a2db9007c5af9bd56ab9371
- hash: c7c5072df9f83f4c440a5c3bb4be1d5f6c67bbf78f196406ca20d27b43b975b8
- url: http://dash.awaydouble.org/0v2auth
- domain: legendarytrendsbay.shop
- domain: dash.awaydouble.org
- domain: grupoconstat.bitrix24.com.br
- domain: servicing.pureplantcravings.com
AI brands as bait: How threat actors are using the AI hype in social engineering
Description
Threat actors are exploiting the global interest in AI by impersonating popular AI platforms such as ChatGPT, Copilot, DeepSeek, and Claude in social engineering campaigns. These campaigns use phishing, malvertising, and SEO tactics to steal credentials, commit financial fraud, or distribute malware like the Vidar stealer. Notable activities include ChatGPT-themed phishing targeting South Africa, Claude-themed adversary-in-the-middle attacks, and fake AI plugin downloads spreading malware. The initial access broker Storm-3075 and malware-signing service Fox Tempest are involved in these operations. These attacks combine traditional social engineering with AI branding to increase effectiveness.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves multiple social engineering campaigns leveraging AI branding to deceive victims. Attackers impersonate well-known AI platforms to conduct phishing attacks that collect credit card data, adversary-in-the-middle attacks harvesting credentials and access tokens, and malvertising campaigns distributing malware such as Vidar stealer via fake AI plugins. Fraudulent installers for AI tools like DeepSeek V4 have been distributed on GitHub. The initial access broker Storm-3075 uses AI-themed malvertising, while Fox Tempest provides malware-signing-as-a-service to make payloads appear legitimate. These campaigns exploit the AI hype to increase victim trust and success rates in credential theft, financial fraud, and malware infection.
Potential Impact
The campaigns result in credential theft, financial fraud, and malware infections including the Vidar stealer. Victims may suffer unauthorized access to accounts, financial losses, and compromised systems. The use of AI branding increases the likelihood of successful social engineering, expanding the attack surface. Specific targeting includes regions such as South Africa for ChatGPT-themed phishing. The involvement of malware-signing services enhances the legitimacy of malicious payloads, complicating detection.
Mitigation Recommendations
Patch status is not applicable as this is a social engineering threat without a software vulnerability. Organizations should educate users about AI-themed phishing and malvertising campaigns and verify the authenticity of AI-related communications and downloads. Blocking known malicious domains and URLs listed in the indicators can reduce exposure. Monitor for suspicious activity related to credential theft and malware infections. No official fix or patch exists; mitigation relies on user awareness and network defenses.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/"]
- Adversary
- Storm-3075
- Pulse Id
- 6a2719a4165e6fddbfbf8f91
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainbrokeapt.com | — | |
domainpan.rongtv.xyz | — | |
domainpan.ssffaa19.xyz | — | |
domainlegendarytrendsbay.shop | — | |
domaindash.awaydouble.org | — | |
domaingrupoconstat.bitrix24.com.br | — | |
domainservicing.pureplantcravings.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash4f5c5b3ef45cfff7721754487a86aeff9a2e6e32 | — | |
hash0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531 | — | |
hash25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a | — | |
hash5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80 | — | |
hash56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23 | — | |
hash791efb555eefb7215e96659a1353a97416743b66bdd72705493129c64057d40e | — | |
hash8610d4fb0ec5b525071c2aaec4df0f8fcbb3673aba58a7e1959fc44e83c0e2ca | — | |
hash99231deb373997364381d1eb513d2d42231d418c3a2db9007c5af9bd56ab9371 | — | |
hashc7c5072df9f83f4c440a5c3bb4be1d5f6c67bbf78f196406ca20d27b43b975b8 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://dash.awaydouble.org/0v2auth | — |
Threat ID: 6a27d5108dd33fbd85ffcd1d
Added to database: 6/9/2026, 8:55:44 AM
Last enriched: 6/9/2026, 9:10:56 AM
Last updated: 6/9/2026, 3:00:24 PM
Views: 36
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.