OpenAI Tracks Phish, Malware Tooling, And Low-Reach Influence Campaigns

Analyzing how adversaries embed large language models into existing intrusion, fraud, and influence workflows, rather than gaining novel offensive capabilities, OpenAI released new findings on October 7, 2025. OpenAI says it has disrupted more than 40 networks since 2024 and continues to observe recurring patterns: multi-model usage, iterative obfuscation to mask AI-generated content, and attempts by authoritarian-linked users to design large-scale monitoring systems. In its overarching assessment, OpenAI reports that model refusals blocked overtly malicious prompts and that investigators “found no evidence of new tactics or that our models provided threat actors with novel offensive capabilities,” with most abuse attempts falling into a “gray zone” of dual-use code, translation, and drafting tasks. Still, the operational risk is non-trivial: adversaries used AI to speed phishing content creation, localize lures, troubleshoot commodity tooling, and standardize tradecraft across languages and time zones. Notably, OpenAI also highlights a defensive signal: in the scam space, users leveraged ChatGPT to identify fraudulent activity far more often than scammers used it to craft fraud, offering measurable net defender benefit according to OpenAI’s telemetry.

OpenAI’s first cyber case study profiles a Russian-speaking actor using multiple ChatGPT accounts to prototype post-exploitation components and credential theft aids while discussing activity in Telegram communities. According to OpenAI, requests sought low-level Windows guidance and “building-block” snippets that could be assembled off-platform into offensive workflows, including loader scaffolding, clipboard monitoring, and simple exfiltration helpers. To credit OpenAI’s specific findings: the actor asked about “Converting EXEs to position-independent shellcode; building in-memory loaders (VirtualAlloc/WriteProcessMemory/remote thread); language conversions for loader toolchains,” “Generating scripts and programmatic code likely designed to extract / decrypt browser credentials & cookies, parse wallet LevelDBs, monitor / replace clipboard contents, and exfiltrate via bot channels (Telegram),” and “Producing code and advice to assist with process discovery / termination, AV checks, command execution patterns likely used after access.” OpenAI disabled associated accounts and shared indicators, reiterating that the code fragments requested have widely available benign uses but can be repurposed by criminals once outside the platform’s guardrails. In parallel, OpenAI describes a Korean-language cluster—consistent with public reporting about DPRK-aligned tradecraft though not independently attributed—using the model during narrow work windows to draft phishing in Korean, experiment with browser credential access (DPAPI) workflows, and tinker with reflective loading and Windows API hooking, alongside macOS extension scaffolding; OpenAI again reports no evidence that binaries were produced by its models.

A third case study, “Phish and Scripts,” details Chinese-language operators whose targeting and themes overlapped with industry designations (e.g., UTA0388/UNK_DROPPITCH), including outreach to Taiwan’s semiconductor sector, U.S. academia, and civil-society communities. OpenAI observed multilingual lure drafting with micro-edits for tone and regional norms, plus iterative requests to debug lightweight C2 elements (keep-alive beacons, JSON tasking, WebSocket/HTTPS transport) and to add OPSEC touches such as header tweaks and basic obfuscation. The report maps these behaviors to post-compromise and reconnaissance categories and emphasizes that the model sped localization and glue-code iteration rather than unlocking advanced tradecraft. Beyond cyber operations, OpenAI says it disrupted organized scam networks likely based in Cambodia, Myanmar, and Nigeria that used the model to scale outreach (“ping-zing-sting” playbooks), generate fake expert personas, translate scripted WhatsApp group conversations, and even manage internal scam-center logistics. OpenAI notes adversarial adaptation here as well: scammers experimented with stylistic masking—such as removing em-dashes from outputs—to evade online tell-tales of AI-generated text, while takedowns prompted recycled narratives to explain platform bans.

The final case study covers covert influence operations, including a Russia-origin “Stop News” recidivist network and a China-origin campaign OpenAI dubs Operation “Nine—emdash Line.” OpenAI links the former to video-driven propaganda that used ChatGPT to storyboard scripts, translate into French, and produce SEO-tuned descriptions before handing prompts to external video models; despite the workflow’s sophistication, measured reach remained modest across X, YouTube, and TikTok. For “Nine—emdash Line,” OpenAI reports a small network generating English and Cantonese social posts attacking Philippine and Hong Kong pro-democracy figures and amplifying South China Sea narratives; operators also used the model to research niche forums, generate name lists for sockpuppets, and ideate growth tactics (e.g., hashtag challenges). OpenAI assesses both IO efforts as low-impact (Breakout Scale Category 2) with limited authentic engagement and easy-to-spot persona weaknesses, and notes that some PRC-linked individual users sought help drafting proposals for surveillance-style “listening” tools—reinforcing the risk of authoritarian abuses of AI. Across all case studies, OpenAI underscores that it banned implicated accounts, shared indicators with peers, and will continue tuning policy enforcement and detections as adversaries integrate AI incrementally into phishing, malware maintenance, scams, and influence campaigns.