BatLoader campaign impersonates ChatGPT and Midjourney to deliver Redline Stealer

Researchers identified an ongoing BatLoader campaign relying on Google Search Ads to deliver rogue web pages for ChatGPT and Midjourney.

In early May, researchers at eSentire Threat Response Unit (TRU) spotted an ongoing BatLoader campaign using Google Search Ads to redirect victims to imposter web pages for AI-based services like ChatGPT and Midjourney.

The rogue pages are designed to promote fake apps of popular AI services.

In the campaign observed by the researchers, threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer. In February 2023, eSentire reported another BatLoader campaign targeting users searching for AI tools.

“Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord). This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps.” reads the analysis published by eSentire.

Users searching on Google for “chatbpt” were redirected to an imposter download page for ChatGPT hosted on hxxps://pcmartusa[.]com/gpt/. 

Visitors are tricked into downloading a fake Windows ChatGPT app by clicking on the button on the landing page that actually redirect them to a BatLoader Payload site.

The installer is downloaded from the job-lionserver[.]site as Chat-GPT-x64.msix, which is digitally signed by ASHANA GLOBAL LTD.

The final package was created by a Russian speaker using Advanced Installer version 20.2 with a professional license.

Upon opening the package in AdvancedInstaller, the experts discovered that the application will execute both an executable (ChatGPT.exe) and a PowerShell script (Chat.ps1).

The installer fetches and executes the RedLine Stealer from a remote server.

“This Redline sample is configured to connect to IP 185.161.248[.]81 using the Bot ID “ChatGPT_Mid”, a reference to the two lures used in this campaign (ChatGPT and MidJourney).” continues the analysis.

Examining ChatGPT.exe, TRU observed that the executable uses Microsoft Edge WebView2 to load in pop-up window post-installation.”

Attackers used this executable to trick the users into believing that they have installed a legitimate application. The users will display a popup window containing the real ChatGPT web page embedded in a browser window. The experts are yet to determine other functionality of this executable.

The experts also detailed a separate case, that was observed on May 2023, using a similar infection scheme to advertise a rogue page for Midjourney. In this case, the visitors were downloading Midjourney-x64.msix, which is a Windows Application Package also signed by ASHANA GLOBAL LTD.

“Generative AI technologies and chatbots have exploded in popularity in 2023. Unfortunately, as system administrators seek ways to control access to these platforms, users may seek out alternative ways to gain access.” concludes the report. “Threat actors have been keen to exploit the popularity of these tools, promising unrestrictive access. Our telemetry shows Google Search Ads abuse (explained here) peaked in popularity in Q4 2022 and early 2023. The success rate has diminished, suggesting Google has tamped down on abuse of their ad service. However, this recent campaign shows malicious ads can still slip by moderators and deliver victims malware.”

We are in the final

Please vote for Security Affairs ( as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ChatGPT)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

FBI unlocked the phone of the suspect in the assassination attempt on Donald Trump

The FBI gained access to the password-protected phone of the suspect in the assassination attempt…

4 hours ago

Ransomware groups target Veeam Backup & Replication bug

Multiple ransomware groups were spotted exploiting a vulnerability, tracked as CVE-2023-27532, in Veeam Backup &…

6 hours ago

AT&T paid a $370,000 ransom to prevent stolen data from being leaked

Wired attributes the recently disclosed AT&T data breach to a hacker living in Turkey and…

9 hours ago

HardBit ransomware version 4.0 supports new obfuscation techniques

Cybersecurity researchers detailed a new version of the HardBit ransomware that supports new obfuscation techniques…

17 hours ago

Dark Gate malware campaign uses Samba file shares

A Dark Gate malware campaign from March-April 2024 demonstrates how attackers exploit legitimate tools and…

24 hours ago

Security Affairs Malware Newsletter – Round 2

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

This website uses cookies.