Push Security — LLMShare Campaign Abuses ChatGPT Sharing to Deliver Malware

AI relevance: LLM sharing and artifact-rendering features let attackers host phishing pages on chatgpt.com and claude.ai domains, inheriting platform trust to bypass URL reputation checks and enterprise URL filters.

• Push Security disclosed the "LLMShare" campaign, which uses sponsored Google search ads for queries like "ChatGPT" and "ChatGPT desktop app" to drive victims to malicious shared ChatGPT pages.
• The shared pages render fake OpenAI outage notices — "We're experiencing high traffic right now. Our website is temporarily unavailable" — directing users to download a desktop app instead.
• The fake outage notice is rendered through ChatGPT's own HTML/CSS rendering pipeline from a shared chatgpt.com/s/ link, so the entire phishing page loads from a legitimate OpenAI domain.
• The download button on the fake outage page redirects to openew[.]app, a cloaked site that shows a harmless AR/VR company page to security scanners like URLScan but serves malware installers to targeted visitors.
• The campaign offers both macOS and Windows installers; the Windows binary runs VM-detection commands before executing its payload, indicating an infostealer or similar credential-harvesting malware.
• The same threat actors are also abusing Claude Artifacts to host ClickFix-style lures that trick users into pasting and executing malicious commands in their terminal.
• Earlier variants of this pattern targeted Claude downloads via shared Claude conversations with malicious installation instructions, and used shared Grok and ChatGPT conversations to impersonate software installation guides.
• The core abuse vector is structural: AI platforms' sharing features allow arbitrary rendered content to be hosted on their own domains, creating a trust-transfer problem that traditional URL reputation systems cannot detect.

Why it matters

Shared conversation links and rendered artifacts are now being used as a phishing hosting platform. Because the malicious content loads from chatgpt.com or claude.ai, it bypasses domain-based blocklists, enterprise URL filters, and user suspicion that would normally apply to unknown domains. Combined with paid search ads, this gives attackers a scalable, low-cost malware distribution channel.

What to do

• Security teams should consider chatgpt.com/s/ and claude.ai shared links as a potential phishing surface — domain reputation alone is insufficient.
• Users should verify download links against official vendor URLs (openai.com, anthropic.com) before installing any "desktop application."
• AI platforms need to implement content validation on shared pages, particularly pages that render custom HTML with external download links or redirect chains.
• Block or flag paid search ads directing users to shared LLM platform pages rather than official product download URLs.

Sources

• BleepingComputer — ChatGPT share links abused to host fake outage pages
• Neowin — Hackers are now using ChatGPT share links to deliver malware
• Push Security — LLMShare Malvertising Campaign