Hackers Use Shared ChatGPT and Claude Links to Spread Malware

Key Takeaways

• Attackers create shared ChatGPT and Claude chats that mimic official support pages to distribute malware
• Security tools don't flag these links because they come from trusted domains like chatgpt.com and claude.ai
• Victims find these malicious shared chats through paid search ads

Trusted Domains, Dangerous Content

Both ChatGPT and Claude let users share their conversations publicly through a simple URL. It's a useful feature for collaboration. It's also a security gap that attackers are now exploiting.

Security firm Push Security has documented a new attack technique they call 'LLMShare.' The premise is simple: create a shared chat on a trusted AI platform, fill it with malicious content disguised as legitimate help, and promote it through paid search ads.

When victims click these ads and land on chatgpt.com or claude.ai, they see a familiar interface. The URL looks legitimate. Their browser's security warnings stay silent. Why would anyone suspect a link to OpenAI or Anthropic's own domains?

How the Attacks Work

Push Security has identified several variations of this attack. The most common approach involves shared chats that mimic official outage notices or software installation guides.

One particularly clever variant abuses ChatGPT's code-rendering feature. Attackers build a full fake error page right inside a shared chat. The rendered code looks like an official error message, complete with a download button for an 'updated' desktop app. That app contains malware.

On Claude, attackers take a different approach. Shared chats pose as Apple support walkthroughs. They include Terminal commands that users are instructed to copy and paste. Those commands install malware.

Both BleepingComputer and Kaspersky have documented similar campaigns, suggesting this technique is spreading among threat actors.

Why Security Tools Miss These Attacks

Traditional security tools rely heavily on domain reputation. Links to known malicious domains get blocked. Links to chatgpt.com and claude.ai pass through without scrutiny.

This creates a blind spot. The malicious content lives on the same domain as legitimate AI conversations. There's no file attachment to scan. No executable to flag. Just text, code snippets, and instructions that lead users to download malware from elsewhere.

The psychology works in the attackers' favor too. Users have been trained to trust content from major tech companies. A support guide on claude.ai feels official even when it isn't.

Known Indicators of Compromise

Push Security has published specific indicators that security teams can use to detect these attacks:

• Malicious Claude share URL: hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131
• Malicious ChatGPT share URL: hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d
• Malicious domain: openew[.]app
• Malware SHA256: de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78

What Organizations Can Do

Blocking shared chat URLs entirely isn't practical for most organizations. Employees legitimately share AI conversations for work purposes.

A more targeted approach involves monitoring for shared chat links that arrive via paid search ads. If an employee lands on a ChatGPT or Claude share link from a Google ad, that's suspicious. Legitimate shared chats typically come through direct messages, emails from known contacts, or internal documentation.

Security awareness training should also evolve. Employees need to understand that a trusted domain doesn't mean trusted content. Anyone can create a shared chat and put anything in it.

Frequently Asked Questions

Can I tell if a shared ChatGPT or Claude link is malicious?

Not easily. The links look identical to legitimate shared conversations. Be suspicious of any shared chat that asks you to download software, run Terminal commands, or enter credentials. Especially if you found it through a search ad.

Are OpenAI and Anthropic doing anything about this?

Neither company has announced specific countermeasures yet. The challenge is distinguishing between legitimate shared chats and malicious ones at scale, since the content itself determines the intent.

Should my company block shared AI chat links?

Blanket blocking isn't practical since shared chats have legitimate uses. Focus instead on monitoring how employees reach these links. Shared chats from search ads should raise red flags.

What malware is being distributed through these attacks?

Push Security has identified at least one specific malware sample (SHA256 hash provided in the article) linked to these campaigns. The malware typically arrives as a fake desktop app download.

Why don't antivirus tools catch these attacks?

The malicious instructions live on trusted domains that security tools don't block. The actual malware download happens separately, and by then the user has been socially engineered to trust the process.

Source: The Decoder / Matthias Bastian