Security researchers at Malwarebytes have flagged a convincing fake website impersonating OpenAI's ChatGPT download page that is infecting Windows visitors with malware built to steal passwords, browser data, cryptocurrency wallets, and other sensitive information. The fake site, openew[.]app, looks nearly identical to OpenAI's real download experience — and if you searched for "ChatGPT download" on Google in the last few weeks and clicked an unfamiliar result, your PC may already be compromised.
What the fake site does to a Windows PC
The dual-platform setup is what makes the operation notable. Clicking the Windows download delivers a fake installer that opens a back channel to an attacker-controlled server , while the Mac version drops a separate password- and crypto-stealing payload. On the Windows side, researchers observed PowerShell command-and-control behavior — meaning the malware uses a tool already built into Windows to quietly talk to the attackers and pull down further instructions.
The danger here is broad. If you searched for "ChatGPT download" and clicked an ad or unfamiliar result, you may have given attackers access to your online accounts, browser sessions, saved passwords, and potentially your cryptocurrency holdings. Once that kind of stealer is on the machine, it can quietly export everything saved in Chrome, Edge, or Firefox — banking logins, email passwords, social media sessions — within minutes of being installed. If you suspect an infection, getting a professional to scan and clean the system is far safer than guessing whether you got it all.
Why this campaign is working
The attackers aren't exploiting a Windows bug — they're exploiting search habits. Most major AI vendors, including OpenAI, already provide official download channels. The problem is visibility and user habit. Many users still search for "ChatGPT download," where results can include official links, unofficial mirrors, and outright malicious sites.
And this isn't an isolated case. A separate report from Help Net Security on May 27 found that attackers are hosting counterfeit installers and plugins on GitHub and SourceForge that pose as widely used software, including ChatGPT, Claude, AutoTune, Kontakt, Ableton Live, and ZENOLOGY. The downloads deliver a backdoor called DinDoor, which then loads a remote access Trojan built on the Deno JavaScript runtime . Compromised YouTube channels push victims toward the malicious repositories. The videos promoting the fake tools have accumulated more than 50,000 views. In other words, fake AI installers are now being pushed through search ads, YouTube tutorials, and even legitimate-looking developer sites — not just shady forums.
How to tell if you were hit — and what to do
If you only download ChatGPT from OpenAI's official download page or the Microsoft Store, you were not the target here. If you're not sure where your copy came from, check the publisher in Windows Settings > Apps > Installed apps. Anything claiming to be ChatGPT that wasn't published by OpenAI should be uninstalled immediately.
If you suspect you ran the fake installer, Malwarebytes' recommendation is blunt: Reinstall the operating system. The Windows sample showed PowerShell command-and-control behavior, while the macOS payload may have captured the user's login password. A clean reinstall is the safest recovery path. Before wiping, change every important password from a different, known-clean device — email first, then banking, then everything saved in your browser. If you have irreplaceable files on the PC and aren't sure they're safe to copy off, a shop can pull them through a write-blocker as part of a drive recovery before the reinstall. If the machine has been sluggish, crashing, or showing strange pop-ups since the install, those are also classic signs the PC needs hands-on diagnosis.
Simple rules to avoid the next one
Download desktop software only from the vendor's own site — type the address in directly rather than clicking a search ad. For ChatGPT specifically, that means openai.com or the Microsoft Store, nothing else. Be skeptical of YouTube tutorials that tell you to paste a command into PowerShell or the Run box; that's the same trick behind the ClickFix campaigns hitting Windows users right now. And keep real-time antivirus turned on — Windows Security (built into Windows 11) is fine for most home users, as long as it's actually running and up to date.
What This Means for York, PA
If you're in York County and you (or a family member) installed anything claiming to be ChatGPT from a search result or YouTube link in the last few weeks, bring the PC into York Computer Repair at 2069 Carlisle Rd — we can scan it, confirm whether the stealer ran, and rescue your files before a clean reinstall. Walk-ins welcome Monday-Friday 9-5, or call 717-739-9675.