Fake AI brands push credential phish and Vidar stealer

Microsoft’s report is useful if it lands in the right drawer. It does not describe breaches of ChatGPT, Copilot, DeepSeek or Claude. It describes actors borrowing those names and logos to run familiar campaigns: credential pages, payment-card collection, malvertising, search engine optimization poisoning and malware delivery. For incident responders, the hunt starts in the initial-access channel rather than inside the AI platform.

The examples are operationally dull, which is the point. A ChatGPT Plus payment-update lure collected names, addresses and credit-card data; Microsoft says 4,500 messages in one run went mostly to South Africa, and a broader related campaign reached up to 100,000 messages in a day across Switzerland, Austria and South Africa. Other lures used Claude themes to collect credentials and access tokens, fake DeepSeek installers on GitHub to deliver Vidar Stealer, and malvertising for an Awesome AI Windows Plugin to do the same.

The compliance lesson is boring and expensive: brand training ages faster than policy. If users are encouraged to adopt AI tools, the help desk, email security team and identity team need playbooks for AI-brand impersonation, including payment-update phish, app-install lures, token theft and malicious repositories. Blocking one AI service may miss the attack pattern because the service is only the costume.

The named actor detail is the escalation signal. Microsoft says initial access broker Storm-3075 used AI-themed malvertising to deliver payloads, including malware signed through a malware-signing-as-a-service offering attributed to Fox Tempest, for multiple downstream actors. The lure can sit at the front of a brokered access chain, which makes it a business email, identity and endpoint problem at the same time.