Weaponized ChatGPT Download Site Delivers Malware Via Sponsored Search Results

A malvertising campaign impersonating ChatGPT distributes trojanized Windows and macOS installers via sponsored search ads and an OpenAI-branded fake site; researchers identified the malicious domain (openew.*) resolving to 144.172.104.205 and provided SHA256 hashes for Windows and macOS samples. Analysis shows an Inno Setup installer deploying an Electron-based app with an obfuscated winter.js payload, use of PowerShell staging (ExecutionPolicy Unrestricted), CAPTCHA gating to evade sandboxes, DoH for blending C2 traffic, and persistence via a Chromium-style profile at %AppData%\Satoshi—defenders should monitor the provided IoCs, unexpected Electron applications, mismatched installer metadata and signatures, and the described process/network behaviors.