AI brands as bait: How threat actors are using the AI hype in social engineering
Essential information
- Published
- 08/06/2026 19:36
- Modified
- 09/06/2026 08:57
- Tags
- 2026-06-08 adversary-in-the-middle ai impersonation credential-theft ghostsocks github abuse hijack loader lumma stealer malvertising oyster phishing social engineering vidar vidar stealer
- Related entities
- 9 observables, 1 intrusion sets (apt), 20 techniques (mitre), 5 malware, 11 others
Description
Threat actors are increasingly leveraging the global interest in artificial intelligence by impersonating popular AI platforms such as ChatGPT, Copilot, DeepSeek, and Claude in social engineering campaigns. These operations span phishing attacks, malvertising, and search engine optimization-driven tactics that ultimately lead to credential theft, financial fraud, or malware infections. Observed campaigns include ChatGPT-themed phishing collecting credit card data targeting South Africa, Claude-themed adversary-in-the-middle attacks harvesting credentials and access tokens, malvertising campaigns distributing Vidar stealer through fake AI plugin downloads, and fraudulent DeepSeek V4 installers on GitHub. The initial access broker Storm-3075 has been identified employing AI-themed malvertising, while the financially motivated actor Fox Tempest provides malware-signing-as-a-service to enhance payload legitimacy. These campaigns combine traditional social engineering tactics with AI branding to improve success...