December 5, 2023

Researchers come with a warning about an infostealer mimicking a ChatGPT Windows desktop client that’s capable of stealing saved credentials from the Google Chrome login data folder.

There is no official desktop client of ChatGPT, but the version looks remarkably similar to what one would expect and is distributed via a zip archive carrying a file named ChatGPT for Windows Setup 1.0.0.exe.

During the installation process, the malware runs in the background and begins extracting Chrome login data using Havelock, a tool that extracts and decrypts accounts, cookies, and history from Chromium-based web browsers.


The fake ChatGPT client creates an AutoStart entry in the registry to ensure that the infostealer runs every time the infected machine starts up. It also has the ability to hide its console window and to extract web session cookies via sqlite3. Its many dependencies point to additional capabilities.

Attackers have lately been exploiting users’ desire for a ChatGPT desktop and mobile app to deliver different types of malware. This particular piece of malicious payload is similar to DUCKTAIL, which is used to hijack user accounts in Facebook

Users are advised to avoid downloading applications from untrusted or unauthorized sources. ChatGPT does not have an official desktop client or mobile app, which means that such claims or offers should be treated with caution.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.