ChatGPT Share Links Now Deliver Malware via Fake Outage Pages

Key Takeaways

• Attackers are hosting fake outage notices on legitimate chatgpt.com URLs using the platform's share feature
• The campaign uses Google ads to direct users searching for ChatGPT to malicious shared pages
• Similar attacks have been observed abusing Claude Artifacts to deliver ClickFix-style lures

A new malware campaign exploits one of ChatGPT's most useful features to turn OpenAI's own domain into a delivery mechanism for malicious software. Security firm Push Security discovered the attack, which they've dubbed 'LLMShare,' and it represents a troubling evolution in how threat actors abuse trusted platforms.

The attack works by creating fake outage notices that appear on legitimate chatgpt.com URLs. Because the malicious content lives on OpenAI's own domain, traditional security tools that flag suspicious websites have a harder time catching it.

How the Attack Works

The campaign starts with sponsored Google ads. When users search for ChatGPT, they may click an advertisement that looks legitimate but directs them to a shared ChatGPT page at chatgpt.com/s/. Instead of a normal chat conversation, visitors see what appears to be an official outage notice.

The fake message reads: 'We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.'

This approach is clever for a specific reason. ChatGPT's sharing feature lets users publish rendered HTML and CSS content through prompts. The attackers created a custom HTML page that looks like an official OpenAI outage notice, then published it as a shared conversation. The result is a convincing fake page hosted on a domain users have every reason to trust.

Push Security noted that the page still includes ChatGPT's standard 'Show code' and 'Remix with ChatGPT' controls. Anyone who clicks these would see that the outage notice is actually rendered from custom HTML. Most users, however, won't think to check.

The Malware Payload

Clicking the download button takes users to openew[.]app, a site that impersonates OpenAI's desktop application portal. The site offers downloads for both macOS and Windows.

The attackers use cloaking to avoid detection. When security platforms like URLScan visit the URL, they see a harmless AR/VR company website instead of the fake download portal. Only targeted victims see the malicious content.

BleepingComputer tested the Windows version using Any.Run's sandbox environment. The malware executes commands to determine whether it's running on a real computer or a virtual machine, a common evasion technique. While the exact final payload remains unclear, similar campaigns have distributed infostealers.

Not Just ChatGPT

Push Security also observed attacks abusing Claude Artifacts, Anthropic's feature for sharing rendered applications and content. Those attacks used ClickFix-style lures that tricked users into executing malicious commands.

Earlier this year, threat actors used Google ads to direct users searching for Claude downloads to shared Claude conversations containing malicious installation instructions. The pattern is consistent: AI platforms with sharing features are being turned into trusted hosts for malicious content.

“The exploitation of trusted domains like chatgpt.com turns a platform's greatest strength—its legitimacy—into an effective delivery vehicle for social engineering.”

— Sarah Jenkins, Lead Security Analyst at Digital Guardian

Why Trusted Domains Matter

Traditional phishing relies on tricking users into visiting attacker-controlled domains. Security tools maintain blocklists of known malicious URLs, and savvy users learn to check the address bar before entering credentials or downloading files.

The LLMShare campaign bypasses both defenses. The malicious content lives on chatgpt.com, a domain with approximately 193 million daily active users. Security tools won't flag it. Users have no reason to suspect it.

The only red flag is the download itself. OpenAI does offer desktop applications, but users who navigate to them directly through openai.com rather than clicking ads would reach the legitimate download page.

How to Protect Yourself

• Navigate directly to openai.com or anthropic.com rather than clicking search ads
• Be skeptical of outage notices that push you toward downloads
• Check for 'Show code' or 'Remix' controls that indicate you're viewing a shared conversation, not an official page
• Verify downloads by checking the domain in your browser's address bar before executing any files
• Use endpoint protection that can detect malware even when downloaded from trusted sources

Frequently Asked Questions

Can ChatGPT share links spread malware?

Yes. The LLMShare campaign demonstrates that attackers can use ChatGPT's content-sharing feature to display fake outage notices on legitimate chatgpt.com URLs, then direct users to download malware.

How do I know if a ChatGPT page is fake?

Look for 'Show code' or 'Remix with ChatGPT' controls on the page. These indicate you're viewing a shared conversation that could contain user-created content, not an official OpenAI page.

Is the ChatGPT desktop app safe to download?

The official ChatGPT desktop app is safe, but only if downloaded directly from openai.com. Never download ChatGPT from links in search ads or shared conversations.

What malware does the LLMShare campaign install?

The exact payload is unclear, but the malware performs anti-analysis checks to detect virtual machines. Similar campaigns have distributed infostealers designed to harvest user credentials.

Are other AI platforms affected by this attack method?

Yes. Push Security observed similar attacks abusing Claude Artifacts to host ClickFix-style lures. Any AI platform with content-sharing features could potentially be exploited this way.

Source: BleepingComputer