How Threat Actors are Exploiting ChatGPT's Popularity to Spread Malware via Compromised Facebook Accounts Putting Over 500,000 People at Risk

mins read time
CloudSEK's investigation has revealed the presence of 13 Facebook pages/accounts (totaling over 500K followers) that have been compromised and are being used to disseminate the malware via Facebook ads.
Bablu Kumar
Published on
March 27, 2023
Blog Image

Researcher: Bablu Kumar


ChatGPT has gained significant attention lately, and for good reasons. Its potential benefits and ability to enhance work efficiency and effectiveness have piqued the interest of individuals across various sectors. Unfortunately, this heightened interest has also attracted the attention of threat actors who seek to exploit the hype and capitalize on the technology's popularity for their gain.

CloudSEK has recently released a research paper that sheds light on the nefarious tactics employed by threat actors to hijack existing YouTube accounts. These tactics include leveraging previously compromised data, phishing techniques, and the use of stealer logs. This blog reveals that threat actors may have also infiltrated Facebook accounts and pages using the same methods. These compromised accounts and pages are being used to distribute malware through various channels, such as Trello boards, Google Drive, and various individual websites, that are embedded in Facebook ads. 

The ads are designed in such a way that they appear legitimate, containing all the necessary details to appear convincing to unsuspecting users. The download link is accompanied by a password to lend further credibility to the scam. Furthermore, compromised accounts can also result in the theft of personally identifiable information (PII) and sensitive details such as payment information, etc. Semrush, SMIT, Evoto, and OBS Studio are a few other websites targeted in a similar manner.

Modus Operandi

Facebook is among the world's largest social networking platforms, with over 2.96 billion monthly active users. In our recent research, it has come to light that several potentially high-follower Facebook pages have been compromised and hijacked to spread malware at an unprecedented pace. It can be understood using this simple illustration.

Infection chain - compromised Facebook accounts spreading malware

After taking over a Facebook account or page, the threat actors modify the profile information to make it appear as if it is an authentic ChatGPT page. This involves using the username "ChatGPT OpenAI" and setting the ChatGPT image as the profile picture. These accounts are then used to run Facebook ads offering links to the “latest version of ChatGPT, GPT-  V4” which, when downloaded, deploys a stealer malware into the victim’s device. (For more information please refer to the Appendix section)

Also Read Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware

Information from OSINT

The circulated malware is capable of stealing sensitive information from the user’s device, including but not limited to PII, system information, credit card details, etc. The malware also has replication capabilities, which makes it easier to spread across systems through the means of removable media.

Additionally, the malware can escalate privileges and has persistent mechanisms that enable it to remain on the system and gain further leverage. Upon running the malware through VirusTotal it was found to be flagged “malicious” by 9 out of 61 security vendors.

Several security vendors flagged the binary as malicious

Analysis of the Compromised Facebook Accounts

Our investigation has revealed the presence of 13 Facebook pages/accounts (totaling over 500K followers) that have been compromised and are being used to disseminate the malware via Facebook ads. The oldest instance of such a hijacking, as identified by our researcher, dates back to 13 February 2023 and pertains to a page with over 23K followers. Furthermore, we have observed that the actors also targeted newly created accounts, some of which were as young as 0 days old. (Refer to the complete list of compromised accounts analyzed for more details)

Upon conducting a deeper analysis of the Facebook pages, we observed several noteworthy findings. Despite the original pages catering to diverse nationalities across various countries, a majority of the compromised Facebook accounts were being managed by individuals hailing from Vietnam, the Philippines, Brazil, Pakistan, and Mexico. Threat actors from Vietnam and the Philippines exhibited the highest incidence of compromised accounts among the aforementioned countries.

Another interesting observation arising from our analysis is the repeated use of a specific video (which was originally posted on this YouTuber's channel) to attract and engage the audience across the majority of the compromised accounts. This pattern suggests that this campaign, of deploying malware via Facebook ads, is most likely the activity of a distinct group of threat actors or an individual threat actor.

Repeated use of a particular video on the compromised Facebook pages

Hosting Malware on Legitimate Platforms

Our observations have led us to discover that threat actors are resorting to the use of legitimate websites as hosts for malware. Some of the most common platforms that have been exploited in this manner include Google Drive, Trello, and individual websites. This trend is not new but presents a significant challenge to the security community as it is often difficult to dissociate legitimate sites from the malicious content hosted on them.

Frequent activities noticed on the Trello board used for hosting the malware

Information from Trello

A closer look at the Trello cards has yielded an intriguing finding that deserves attention. The status names that are being utilized, such as Cần làm (To do), Đang làm (Doing), and Đã xong (Done), are written in Vietnamese. This observation could provide valuable insights into the origins and motives of the threat actors who are leveraging Trello as a platform for disseminating malware.

The Trello account responsible for the distribution of the malware is registered under the name "Tony." This account has been active since March 15, 2023, with the most recent card update occurring on March 18, 2023. It is noteworthy that most of the Facebook ads in circulation contain a link to this Trello account, suggesting that the threat actors have been using this specific card to disseminate the malware.

(For more information please refer to the Appendix section)

The tables below contain details of the threat actors and the Trello cards used by them to disseminate malware.

Threat Actors Trello Profiles




Malware Distributing Domains








Information from Individual Websites

Our research uncovered at least 25 individual websites that have been engaging in the nefarious practice of impersonating the website. These malicious sites are duping individuals into downloading and installing harmful software, posing a severe risk to their security and privacy. (For more information please refer to the Appendix section)

Malicious Domains

Creation Date


22 December 2022


18 March 2023


11 December 2022


3 February 2023


8 February 2023


10 February 2023


12 September 2014

Other Websites on Radar

During the course of our investigation, we discovered several counterfeit software applications, advertised alongside the malicious ChatGPT software, on the same Trello cards. These applications may currently be in use for various nefarious purposes, including but not limited to, fraudulent Facebook advertising. The list of targeted software* uncovered by CloudSEK includes the following:

  • Semrush: A platform for keyword research and online ranking data.
  • SMIT: A social media advertising tool for marketing experts
  • Evoto: An AI photo editing software.
  • OBS Studio: A free and open-source screencasting and streaming app
  • Photo Editors

*Note: All the compromised companies mentioned in the report are legitimate and are not responsible in any way for threat actors imitating or abusing them or their brand name. Additionally, some companies even have a disclaimer that explicitly warns users against sharing credit card details and other sensitive information.

List of Compromised Facebook Accounts Analyzed

Affected Facebook Accounts/Pages

Date of Compromise


13 February 2023 23,527

27 February 2023 37,307

6 March 2023 11,680

9 March 2023 33,084

13 March 2023 18,703

15 March 2023 123000

16 March 2023 18,468

16 March 2023 26000

18 March 2023 28,204

18 March 2023 214,170

18 March 2023 73

19 March 2023 0 (New Account)

19 March 2023 0 (New Account)

References & Attributions


Actors targeting OBS, Evoto, SMIT, and Semrush using malware

Threat actors using this well-known YouTuber to earn trust and facilitate this campaign

Updated details after compromising the accounts

Running Facebook ads via compromised Facebook accounts

Actors managing the Facebook pages

Vietnamese names present on the Trello board hosting the malicious malware

Trello board hosting the malicious malware

Websites impersonating

Threat actors changing the Facebook profile details and using OpenAI’s Logo

Several individuals flagged the page as a scam/malicious

Facebook page sharing malicious links

Trello download link in Facebook posts

Facebook accounts being managed by individuals (likely threat actors) from several countries

Facebook sponsored link referring to a fake ChatGPT website

Facebook sponsored link referring to ChatGPT malware

Multiple domains distributing ChatGPT malware

Facebook sponsored link referring to ChatGPT malware


Contributors to this Article
Author Image
Bablu Kumar
Bablu is a technology writer and an analyst with a strong focus on all things cybersecurity
Related Posts
Blog Image
November 8, 2023

How AI is reshaping the Cyber Threat Landscape

Explore the double-edged sword of AI in cybersecurity. This insightful blog delves into how artificial intelligence is revolutionizing defenses while also empowering cybercriminals. Understand the dual-use dilemma of AI in the ever-evolving cyber threat landscape.

Blog Image
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.