How to remove malware disguised as ChatGPT from your operating system

Also Known As: ChatGPT virus
Type: Trojan
Damage level: Severe

What is ChatGPT malware?

"ChatGPT malware" refers to malicious content distributed under the guise of ChatGPT (Chat Generative Pre-trained Transformer) – a chatbot developed by OpenAI. Since its inception in the autumn of 2022, ChatGPT has reached extreme popularity. At the time of writing, its user base has grown over 100 million. It is particularly prevalent that any enormously popular product/service is swiftly taken advantage of by cyber criminals and scammers alike.

Although ChatGPT is only available online (chat.openai.com), numerous fake desktop clients and mobile apps imitating this chatbot have been discovered. A variety of harmful and malicious software has been proliferated using "ChatGPT" as a disguise.

Additionally, OpenAI has released ChatGPT Plus – a paid premium service. This has opened the avenue for cyber criminals to offer "cracked" versions and create fake payment websites that target victims' financial information.

It must be emphasized that this fraudulent and dangerous content is in no way associated with either the actual ChatGPT or OpenAI.

Fake ChatGPT website used to distribute malware

ChatGPT malware overview

At the time of writing, ChatGPT is exclusively an online tool – hence, there are no desktop or mobile applications available. However, over 50 "ChatGPT" apps have been discovered in the wild. Promoted on fraudulent ChatGPT/OpenAI Facebook pages, malicious websites, Google Play, and third-party Android stores – the applications include a variety of dubious and virulent content (e.g., adware, PUAs, trojans, etc.).

Fake ChatGPTs have been observed proliferating the following stealer-type malware for the Windows OS – Aurora, Lumma, and RedLine. There have also been instances where this fraudulent content distributed clipper-type malware (programs capable of replacing clipboard content). The bogus Android applications spread Toll Fraud malware and the SpyMax spyware.

To summarize, the presence of an illegitimate ChatGPT app on a device could result in encounters with questionable/malicious ads or redirects, browsing activity tracking, data loss, severe privacy issues, significant financial losses, and identity theft.

Furthermore, since the creation of ChatGPT Plus – a premium service based on a monthly subscription, cyber criminals have started promoting fake payment sites for this service. The sites (regardless of whether used to proliferate malware or collect sensitive data) can perfectly mimic the graphics used by ChatGPT's official website (chat.openai.com) and use typosquatting techniques to get the URLs as close to the original as possible.

The discovered phishing sites target users' credit card information (e.g., names, card numbers, expiration dates, CVVs, etc.), which can then be used by the scammers to make unauthorized online purchases or perform other credit card related fraud.

Due to the prevalence of fake ChatGPT content, we strongly recommend caution. Therefore, pay attention to URLs and enter them with care; do not trust offers that sound too good to be true, and do not download/install software promoted by suspicious sources.

Threat Summary:
Name ChatGPT virus
Threat Type Trojan, password-stealing virus, banking malware, spyware.
Related Domain VirusTotal Detections
openai-pc-pro[.]online, chat-gpt-pc[.]online, chatgpt-go[.]online, chatgptftw[.]com
Payload Aurora, Lumma, RedLine, SpyMax
Symptoms Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software 'cracks'.
Damage Stolen passwords and banking information, identity theft, the victim's computer added to a botnet.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner
To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Examples of legitimate content use for scam/malware promotion

Cyber criminals often employ the names, icons, and other content associated with legitimate products and services for nefarious purposes.

Some examples of this include: Zoom – videoconferencing software, Coinbase – cryptocurrency wallet, AVG AntiVirus – security software, Google Translate – online text translation service, PayPal – online money transferring service (fake account checker), and so forth.

Abusing genuine content in this manner is lucrative, as popular products/services are desirable and recognizable. Additionally, surface-level research on the potential victims' part would only lead them to sources confirming the legitimacy of the content.

How did I encounter fake ChatGPT content?

Malicious/Phishing sites have been observed being promoted by illegitimate Facebook pages masquerading as ChatGPT's official account. These pages may appear legitimate due to the amount of content and posts available on them. Furthermore, the malignant websites they endorse can closely mimic ChatGPT's official site's design and URL.

In addition to such websites, fake ChatGPT Android applications were discovered on the Google Play Store and various third-party app stores. While Google Play is a legitimate app distribution platform, it is not invulnerable to cyber abuse. The review teams can be swift in removing untrustworthy/malicious content, but this does not deter cyber criminals – since hosting their programs on genuine platforms, even for a short while, can be worth it.

It must be mentioned that fake ChatGPT sites and software can be endorsed using other methods as well. Deceptive/malicious webpages can also be accessed via spam mail, sites that use rogue advertising networks, mistyped URLs, spam browser notifications, intrusive ads, and through redirects caused by adware.

Unwanted software and malware are commonly spread via drive-by downloads, online scams, malicious attachments/links in spam mail (e.g., emails, DMs/PMs, SMSes, etc.), malvertising, dubious download channels (e.g., freeware and free file-hosting websites, Peer-to-Peer sharing networks, etc.), pirated programs and illegal activation ("cracking") tools, fake updaters, and bundled installers.

How to avoid installation of malware?

We highly recommend being careful when browsing since fraudulent and malicious online content usually appears legitimate and harmless. Pay attention to URLs and enter them with care; do not click untrusted links. Ignore or deny notification delivery requests from questionable websites, i.e., do not click "Allow", "Allow Notifications", or any similar options.

Another recommendation is to always research software by reading terms and expert/user reviews, checking necessary permissions and other conditions, verifying developer legitimacy, etc. Additionally, all downloads must be performed from official and trustworthy sources.

We advise activating and updating programs using only genuine functions/tools, as those acquired from third-parties can contain malware.

Approach incoming emails, DMs/PMs, SMSes, and other messages with caution. The attachments or links found in suspect/irrelevant mail must not be opened, as they can be infectious.

We must emphasize the importance of having a reputable anti-virus installed and kept up-to-date. Security software must be used to run regular system scans and to remove detected threats. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Fake ChatGPT Facebook page promoting deceptive/malicious websites (image source – Cyble):

Fake ChatGPT Facebook page promoting malware

Fake ChatGPT payment website used for phishing purposes:

Fake ChatGPT payment website used for phishing

Update June 29, 2023 – Since 2022, within the span of a year, more than one hundred thousand ChatGPT accounts have been hijacked via data-stealing malware. This activity has been noted across the globe; however, the Asia Pacific region has been the most targeted – with over forty thousand user accounts stolen.

The potential misuse of the compromised ChatGPT accounts can be varied, but cyber criminals are most likely targeting business-related information since the service has become popular in various industries and spheres. While disabling ChatGPT's ability to save conversations can minimize the potential risks, that does not offer protection against malware capable of keylogging or taking screenshots.

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

Malware process running in the Task Manager

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Autoruns application appearance

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Run Windows 7 or Windows XP in Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Run Windows 8 in Safe Mode with Networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Run Windows 10 in Safe Mode with Networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

manual malware removal step 3Extract the downloaded archive and run the Autoruns.exe file.

Extract Autoruns.zip archive and run Autoruns.exe application

manual malware removal step 4In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Refresh Autoruns application results

manual malware removal step 5Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

Delete malware in Autoruns

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Search for malware and delete it

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

What is "ChatGPT malware"?

"ChatGPT malware" refers to fake websites and software disguised as content related to the ChatGPT chatbot. This includes (but is not limited to) fake: social media accounts, payment webpages for premium ChatGPT services, desktop programs, Android apps, etc.

What is the purpose of fake ChatGPT content?

The unauthorized use of names, logos, and other content associated with ChatGPT – is employed to lure users into falling victim to scams. Cyber criminals usually aim to generate revenue at victims' expense. In the case of fake ChatGPT content, criminals may profit by tricking users into paying for bogus services, disclosing their financial information (e.g., credit card details, etc.), downloading/installing malware, and so on.

I have provided my personal information when tricked by a fake ChatGPT website, what should I do?

If you have provided personally identifiable or finance related information (e.g., ID card details, credit card numbers, etc.) – immediately contact the appropriate authorities. And if you believe that your online accounts are at risk – change the passwords of all possibly exposed accounts and inform their official support without delay.

What are the biggest issues that ChatGPT malware can cause?

The threats posed by an infection depend on the malware's abilities and the cyber criminals' goals. Fake ChatGPT content has been observed being used to proliferate the following Windows malware – Aurora, Lumma, RedLine, and clipper-type programs. The distributed Android malware includes Toll Fraud malware and SpyMax. However, this deceptive content may be used to spread other types of malicious software as well.

As previously mentioned, the dangers associated with an infection can vary. Generally, the presence of malware on a device may result in decreased system performance or failure, multiple system infections, data loss, serious privacy issues, hardware damage, financial losses, and identity theft.

How did I encounter fake ChatGPT content?

Fake ChatGPT websites have been noted being endorsed by likewise illegitimate ChatGPT Facebook accounts. Additionally, bogus ChatGPT mobile apps were detected on the Google Play Store and various third-party Android app stores. However, other promotional methods may also be in use.

Deceptive sites are often accessed via redirects caused by misspelled URLs, spam browser notifications, intrusive ads, webpages using rogue advertising networks, and installed adware.

While malware and other harmful software are primarily distributed through drive-by downloads, online scams, spam emails/messages, untrustworthy download sources (e.g., freeware and third-party sites, P2P sharing networks, etc.), illegal software activation tools ("cracks"), fake updates, and malvertising.

Will Combo Cleaner protect me from scams and remove malware from my computer?

Yes, Combo Cleaner is designed to protect computers from all manner of threats. It can detect and restrict further access to rogue, deceptive/scam, and malicious websites. It is also capable of removing unwanted and malicious software. Combo Cleaner can detect and eliminate nearly all known malware infections. Keep in mind that since sophisticated malware usually hides deep within computers – performing a full system scan is essential.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
ChatGPT virus QR code
Scan this QR code to have an easy access removal guide of ChatGPT virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.