Skip to main content
Published Jan 08, 2026 | Updated Apr 07, 2026

Trojan:JS/ChatGPTStealer.GVA!MTB

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Trojan:JS/ChatGPTStealer.GVA!MTB is a browser-based threat that targets user interactions with large language models. The malware embeds itself inside Chromium extensions to steal conversational data from AI platforms like ChatGPT and DeepSeek. Unlike traditional credential stealers, this threat collects the content of user prompts and AI responses, including proprietary source code and internal business information. 

The threat actors distributed malicious extensions disguised as AI assistants, virtual private networks, and productivity sidebars. Several of these tools received the Featured badge on the Chrome Web Store, which made them look trustworthy and increased their visibility. The malware uses a delayed payload mechanism to avoid automated security reviews. It reads browser memory and the Document Object Model, then sends stolen data through HTTPS POST requests to domains controlled by the threat actors. This shift from stealing credentials to stealing contextual intelligence represents a new kind of corporate espionage, where the details of a user's work become the main target.

  • Open the service worker management interface at chrome://serviceworker-internals/ or edge://serviceworker-internals/.
  • Search for extension identifiers such as fnmihdojmnkclgjpcoonokmkhjpjechg or eppiocemhmnlbhjplcgkofciiegomcon and click Unregister to stop background data harvesting.
  • Remove the extension through the standard browser extensions menu.
  • Manually delete extension folders from C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ that match the malicious identifiers.
  • Clear all browser cache and local storage to delete locally staged exfiltration packets that have not yet been sent.
  • Inspect the Windows Registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome for entries that enforce installation of specific extensions and remove them. Run gpupdate /force in an administrative Command Prompt to refresh system policies and discard malicious overrides.
  • Use Microsoft safety scanners or other Microsoft recommended cleanup tools to find and remove hidden registry artifacts and persistent files.
  • Change all passwords used while the malicious extension was active, including credentials for AI platforms and corporate intranets.
  • Invalidate existing session tokens and activate multifactor authentication on all sensitive accounts.
  • Notify organizational risk management or legal teams if proprietary code, internal workflows, or personally identifiable information were shared with AI models during the infection period.

Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Follow us