Microsoft Threat Intelligence published a report on June 8 exposing large-scale phishing and malvertising campaigns by threat actors Storm-3075 and Fox Tempest that exploit the brand identities of ChatGPT, Anthropic’s Claude, DeepSeek V4, Microsoft Copilot, and Flux Pro AI to steal credentials and payment card data. The campaigns do not represent any breach of the AI services themselves — Microsoft clarified that the attacks exploit brand recognition to deceive users, not vulnerabilities in the AI platforms.
How Storm-3075 and Fox Tempest Weaponize AI Brand Trust for Credential and Card Harvesting
Storm-3075 operates as an initial access broker and distributor, running campaigns that deliver phishing infrastructure and harvested credentials to downstream buyers. Fox Tempest functions as a malware-signing-as-a-service provider, enabling payloads to bypass signature-based defenses. Together, the two actors form a division-of-labor structure in which Storm-3075 handles victim delivery and Fox Tempest provides signing capabilities that increase the operational success rate of delivered malware.
The campaigns impersonate AI brand login pages, subscription portals, and plugin repositories to extract credentials, browser cookies, credit card numbers, and personal details. Microsoft’s report found that the data types stolen span the full range of what a credential-harvesting campaign typically seeks — account access, payment information, and session tokens that can extend access beyond a single login event.
ChatGPT and Claude Brand Abuse: Scale and Geographic Targeting of Storm-3075 Campaigns
The ChatGPT-themed campaign distributed 4,500 phishing emails targeting South Africa and over 100,000 emails to recipients in Switzerland and Austria. The Claude-themed campaign targeted more than 2,000 organizations, with a geographic distribution heavily weighted toward the United States at 62%, the United Kingdom at 18%, and India at 9%. The difference in targeting patterns between the ChatGPT and Claude campaigns suggests Storm-3075 tailors its distribution lists by brand, potentially reflecting where each AI service’s user base concentrates.
The Claude-themed campaign’s 2,000-plus organizational targets indicate enterprise-level targeting rather than purely individual consumer phishing. Organizations, rather than individual users, represent the unit of targeting in the Claude campaign, which may reflect Storm-3075’s assessment that enterprise credential sets carry higher downstream value than individual consumer logins.
DeepSeek V4 Fake GitHub Repo Delivered Vidar Infostealer Within 45 Minutes of Model Preview
Storm-3075’s speed-to-exploit capability is demonstrated by its DeepSeek V4 campaign. Within 45 minutes of DeepSeek’s public preview of the V4 model, threat actors created a fake GitHub repository impersonating DeepSeek’s official presence and used it to deliver the Vidar infostealer to users who downloaded what they believed was legitimate model-related software. The 45-minute window between announcement and weaponized fake repository illustrates the operational readiness these actors maintain to exploit AI product launches as social engineering opportunities.
Vidar is a commodity infostealer that extracts browser credentials, session cookies, and locally stored payment card data. Its delivery through a fake GitHub repository targeting users interested in a newly announced AI model combines brand impersonation with a technically credible distribution channel — developer-oriented users are conditioned to source software from GitHub, making the deception difficult to distinguish from legitimate distribution at a glance.
AiTM Techniques and CAPTCHA Evasion Enable Storm-3075 to Bypass MFA Protections
The campaigns use adversary-in-the-middle credential harvesting, in which victims are routed through proxy infrastructure that captures credentials and session tokens in real time, allowing attackers to bypass multi-factor authentication by stealing active sessions rather than passwords alone. Multi-stage URL redirect chains route victims through legitimate-looking intermediary services before landing on harvesting pages, obscuring the malicious destination from both users and automated URL reputation systems.
Fake CAPTCHA challenges add a layer of perceived legitimacy to the harvesting pages — users who complete a CAPTCHA are less likely to question whether the subsequent login form is authentic, and CAPTCHA presence can impede some automated phishing detection systems that struggle with interactive page elements.
The Awesome AI Plugin Campaign’s 66,000 Device Infections Across Storm-3075 Infrastructure
An earlier campaign documented in Microsoft’s report — distributing a malicious browser extension called “Awesome AI” — infected 66,000 devices. The campaign abused legitimate browser extension distribution infrastructure to reach users seeking AI-related browser tools. Extension-based malware delivery grants persistent access to browser sessions, meaning infections persist across browsing activity rather than terminating after a single credential extraction event.
Microsoft’s June 8 report connects these campaigns under the Storm-3075 and Fox Tempest operational umbrella, framing the abuse of AI brand identities as a systematic strategy — not isolated incidents — in which the credibility of widely adopted AI products is treated as a social engineering resource that threat actors monitor, exploit, and iterate on as new models and products are announced.
