Inside the 2026 Phishing Wave: How Attackers Weaponized ChatGPT, Claude, DeepSeek, and Copilot Brands

• Scale and targets: An initial wave sent 4,500 emails to victims in South Africa. A larger, parallel campaign used the same infrastructure to send up to 100,000 emails in a single day to targets in Switzerland, Austria, and South Africa, focusing on organizations in higher education and professional services .
• Technique: The attack used a multi-stage redirection chain. Victims clicking the “update payment” link were routed through a legitimate CRM platform, an Amazon tracking domain, and a URL shortener before landing on a compromised e-commerce site that harvested personal information and full credit card details across multiple sequential pages .

2. Claude-Themed Adversary-in-the-Middle (AiTM) Attack (April 20–22, 2026)

This sophisticated credential-theft campaign impersonated Anthropic to bypass multi-factor authentication (MFA) .

• Scale and targets: The attack targeted over 2,000 organizations, with 62% of victims in the United States, 18% in the United Kingdom, and 9% in India. Financial services companies made up 8% of the targets .
• Technique: Victims received an email claiming a violation of acceptable use policies, with a PDF attachment named "Fill and Sign Claude Appeal Form.pdf" (SHA-256: 791efb...d40e) . The PDF led users through a Cloudflare verification prompt and a fake Claude-branded landing page to a counterfeit Microsoft sign-in page designed to intercept session tokens—a classic AiTM technique that circumvents MFA .

3. DeepSeek V4 Fake GitHub Repository and Infostealer (April 24, 2026)

This campaign demonstrated the speed at which threat actors can exploit AI hype to target a technical audience .

• Speed and scale: Within 45 minutes of DeepSeek previewing its V4 model, attackers created a fraudulent GitHub organization named "DeepSeek-V4," complete with authentic-looking stolen branding and accurate benchmark data . The repository accumulated 91 stars and ranked first on Bing for searches like "DeepSeek v4 weights github" within four days .
• Payload: The repository's hosted archives contained a loader that installed the Vidar infostealer, a tool designed to steal credentials, browser cookies, and cryptocurrency wallet data . Microsoft found the same loader hash was reused in files impersonating other trending AI tools including GPT-5.5, Claude Code, and Manus AI, showing a swappable-lure strategy .

4. Storm-3075 Malvertising Campaign With Fraudulent Code-Signing (March–May 2026)

Attributed to an initial access broker tracked as Storm-3075, this campaign used malicious advertisements to deploy signed malware on a massive scale .

• Scale and targets: On March 13, 2026, a single campaign run targeted over 66,000 devices via malicious popups on free movie streaming sites, promoting fake products like "Awesome AI Windows Plugin" and "Flux Pro AI" .
• Technique: The malware was distributed with a valid digital signature fraudulently obtained from Fox Tempest, a malware-signing-as-a-service operation. This made the executable appear legitimate to the operating system, bypassing standard trust checks . On May 19, 2026, Microsoft unsealed a legal case against Fox Tempest in the US District Court for the Southern District of New York, seizing its website and disabling hundreds of virtual machines running the service .

The Broader Ecosystem of AI-Themed Fraud

These four campaigns are not isolated incidents. They form part of a broader, adaptive ecosystem of AI-themed fraud that relies on a toolkit of sophisticated and reusable techniques:

• Multi-stage redirection: Attackers frequently route victims through legitimate services like CRMs, URL shorteners, and cloud platforms to evade automated detection before the final malicious payload is delivered .
• SEO poisoning and fake repositories: The DeepSeek campaign highlights a dangerous evolution in supply-chain attacks. Fraudulent GitHub repositories and pages are search-engine optimized to outrank legitimate sources, specifically targeting developers and researchers looking for model weights and code .
• Malware-signing-as-a-service: The legal action against Fox Tempest exposes a professionalized criminal infrastructure that provides fraudulently issued code-signing certificates to multiple actors, allowing unsigned malware to gain OS-level trust .
• Swappable lures: The reuse of a single loader binary, repackaged under the names of different AI models like GPT-5.5, Claude Code, Kimi, and Manus AI, shows attackers can instantly adapt their campaigns to whichever tool is generating the most public interest at any moment .

Why This Shift Matters

Microsoft assesses that AI-themed lures "reflect a shift in social engineering that is likely to persist as a long-term tactic used by threat actors, from cybercriminal groups to nation states" . This does not replace traditional phishing lures like fake invoices or delivery notifications. Rather, it creates a powerful new attack surface built on the enormous public trust and curiosity AI platforms have generated, a risk that many organizations' security awareness training has not yet fully addressed . The targeting of developers through the DeepSeek campaign is particularly concerning, as it points to a supply-chain risk that sits upstream of countless enterprise applications and internal tools built on these models .