ChatGPT share links abused to host fake outage pages delivering malware

At a glance:

• Threat actors exploit ChatGPT's LLMShare feature to serve fake outage pages that prompt malware downloads.
• The malicious pages are hosted on legitimate chatgpt.com shared links and advertised via Google Ads.
• Victims are redirected to openew.app, a clone of OpenAI’s desktop‑app portal, delivering Windows and macOS malware.

What happened

Threat actors have launched a campaign dubbed "LLMShare" that leverages OpenAI’s content‑sharing capability to trick users searching for ChatGPT. Push Security first reported the abuse, noting that Google advertisements now point directly to a shared URL on the official chatgpt.com domain (e.g., chatgpt.com/s/…). When a user clicks the ad, they are taken to a genuine‑looking ChatGPT shared page, but instead of a conversational interface the page displays a fabricated outage notice.

The counterfeit outage banner reads, “We’re experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.” The message is rendered using ChatGPT’s own HTML/CSS rendering engine, meaning the malicious page is served from a trusted OpenAI URL rather than a typical phishing host.

How the attack works

The attackers create a custom HTML page through a ChatGPT prompt, then publish it via the shared‑link feature (chatgpt.com/s/…). The rendered page includes the standard "Show code" and "Remix with ChatGPT" controls, which inadvertently reveal that the content originates from a user‑generated prompt rather than OpenAI staff.

When the visitor clicks the Download button, they are redirected to openew.app, a site that mimics OpenAI’s official desktop‑app download portal. The malicious site employs cloaking: security scanners such as URLScan see a harmless AR/VR company homepage, while targeted users see the malware download page. Both macOS and Windows installers are offered, each flagged by VirusTotal as malicious.

Payload and behavior

BleepingComputer sandboxed the Windows installer on Any.Run and observed a series of reconnaissance commands. The binary checks whether it is running on a real computer or a virtual machine, a common evasion technique. Although the exact payloads have not been publicly identified, earlier campaigns that abused AI‑platform sharing features have deployed infostealers capable of harvesting credentials and system information.

Prior abuse of AI sharing features

This is not the first time AI‑powered sharing mechanisms have been weaponized. Earlier in the year, threat actors bought Google Ads to direct users searching for Anthropic’s Claude downloads to shared Claude conversations that contained malicious installation instructions. Similar tactics have been observed with shared ChatGPT and Grok conversations, where attackers impersonated software‑installation guides and used ClickFix‑style lures to execute malicious commands on victim machines.

Push Security also reported abuse of Claude Artifacts, Anthropic’s feature for sharing rendered applications, to host lures that tricked users into running harmful scripts. These incidents illustrate a growing trend: attackers are exploiting the trust inherent in official AI‑platform URLs to bypass traditional security controls.

Detection and mitigation

Security teams should monitor for unusual traffic to chatgpt.com/s/ links, especially those originating from paid search campaigns. URL filtering solutions can be tuned to flag domains that host both legitimate AI content and suspicious download prompts. Endpoint protection should be configured to detect the known malware families associated with the openew.app installers, and sandbox analysis should be employed for any newly observed binaries.

OpenAI users are advised to verify download sources by navigating directly to the official OpenAI website rather than following links from ads or shared ChatGPT pages. The company has not yet issued a public statement, but the incident underscores the need for tighter vetting of third‑party content published through its sharing infrastructure.

What to watch next

Analysts expect that as AI‑generated content becomes more mainstream, similar abuse vectors will emerge across other platforms such as Microsoft’s Copilot and Google’s Gemini. Organizations should anticipate more sophisticated cloaking techniques and consider adopting zero‑trust web‑gateway policies that inspect the final rendered content rather than relying solely on URL reputation.

In the meantime, the security community continues to share indicators of compromise (IOCs) related to the LLMShare campaign, including the openew.app domain, the specific shared‑link patterns, and the malware hashes observed on VirusTotal. Prompt sharing of these IOCs will be critical to limiting the campaign’s reach.