ChatGPT-Powered Malware Attacking Cloud Platforms to Steal Login Credentials

Threat actors can potentially exploit ChatGPT to generate convincing phishing emails or deceptive content encouraging users to download malware. 

They may also use the model to obfuscate malicious code or to assist in social engineering attacks, making it more challenging for security systems to detect and prevent illicit activities.


Cybersecurity researchers at SentinelLabs recently identified ChatGPT-powered malware actively attacking cloud platforms to steal login credentials. The ChatGPT-powered malware is an infostealer that is dubbed “Predator AI.”

Technical Analysis

Predator AI is promoted in hacking Telegram channels for web app attacks. It targets CMS and cloud email like AWS SES, along with AlienFox and Legion tools, sharing code with the following modules:-

  • Androxgh0st 
  • Greenbot

Predator is actively updated, and in September 2023, a user requested a Twilio account checker to the developers, which was delivered in 2 weeks.

Developer’s message

In October, a new version with Twilio features surfaced. The script starts with a copyright notice and an educational use disclaimer. Besides this, Predator infostealer is a Python application that has more than 11,000 lines.

There are 13 global classes defined in this script, and here below we have mentioned those classes:-

  • Predator
  • Settings
  • Utility
  • PumperSettings
  • FakeErrorBuilder
  • StealerBuilder
  • Translator
  • NetGun
  • CTkMessagebox
  • CTkListbox
  • ThemeMaker
  • GPTj
  • NetXplorer

Cloud Platforms Attacked

Hackers can exploit this script to target the following cloud platforms:

  • Drupal
  • Joomla
  • Laravel
  • Magento
  • OpenCart
  • osCommerce
  • PrestaShop
  • vBulletin
  • WordPress

GPTj’s ‘Predator AI’ chat interface reduces API use by solving locally first. It recognizes over 100 web and cloud hacking cases, handles data internally, and uses third-party services. 

Moreover, it deals with AWS SES, Twilio, IP, and phone number data, only querying ChatGPT when needed. Here below we have mentioned all the driving functions defined inside the GPTj Class:-

  • generate_text
  • Ai_Backend
  • aiRes
  • ChatEvent


Predator AI’s discovery marks an anticipated shift in hacking tools. With the rise of AI, security pros have wondered about AI’s role in threat actor operations. 

Some past projects like BlackMamba fell short of the hype, while Predator AI is a modest advancement, actively integrating AI into tools.

Predator AI’s integration offers a limited attacker advantage, and not only that, it’s unadvertised, potentially unstable, and costly. 

As recommendations, cybersecurity analysts at SntinelLabs urged:-

  • ge:sure to secure systems with all the latest available security updates.
  • Always keep limited internet access.
  • Ensure proper implementation of CSPM(Cloud security posture management).
  • Monitor for anomalous behaviors.

Indicators of Compromise

SHA-1 Hash

  • 88d40f86eefee5112515b73cce2d2badb7f49ffd – Predator Python script

Hardcoded Strings

  • “jSDSgnditikunggobloktolol” – hardcoded AWS account name string
  • “titid” – hardcoded username in AWS GPT functionality
  • “Adminn” – hardcoded username in AWS GPT functionality
  • “Predator123” – hardcoded password from the Settings class
  • “admainkontolpaslodsajijsd21334#1ejeg2shehhe” – hardcoded password for ‘Kontolz’ user account
  • arn:aws:iam::320406895696:user/Kontolz – example ARN for Kontolz user

Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.

Also Read:

Hackers Using ChatGPT to Generate Malware & Social Engineering Threats

OpenAI Released ChatGPT Enterprise With SOC 2 Compliant & Data Encryption

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.