Key Takeaways

- Attackers create shared ChatGPT and Claude chats that mimic official support pages to distribute malware
- Security tools don't flag these links because they come from trusted domains like chatgpt.com and claude.ai
- Victims find these malicious shared chats through paid search ads
Trusted Domains, Dangerous Content
Both ChatGPT and Claude let users share their conversations publicly through a simple URL. It's a useful feature for collaboration. It's also a security gap that attackers are now exploiting.
Security firm Push Security has documented a new attack technique they call 'LLMShare.' The premise is simple: create a shared chat on a trusted AI platform, fill it with malicious content disguised as legitimate help, and promote it through paid search ads.
When victims click these ads and land on chatgpt.com or claude.ai, they see a familiar interface. The URL looks legitimate. Their browser's security warnings stay silent. Why would anyone suspect a link to OpenAI or Anthropic's own domains?
How the Attacks Work
Push Security has identified several variations of this attack. The most common approach involves shared chats that mimic official outage notices or software installation guides.
One particularly clever variant abuses ChatGPT's code-rendering feature. Attackers build a full fake error page right inside a shared chat. The rendered code looks like an official error message, complete with a download button for an 'updated' desktop app. That app contains malware.

On Claude, attackers take a different approach. Shared chats pose as Apple support walkthroughs. They include Terminal commands that users are instructed to copy and paste. Those commands install malware.
Both BleepingComputer and Kaspersky have documented similar campaigns, suggesting this technique is spreading among threat actors.
Why Security Tools Miss These Attacks
Traditional security tools rely heavily on domain reputation. Links to known malicious domains get blocked. Links to chatgpt.com and claude.ai pass through without scrutiny.
This creates a blind spot. The malicious content lives on the same domain as legitimate AI conversations. There's no file attachment to scan. No executable to flag. Just text, code snippets, and instructions that lead users to download malware from elsewhere.
The psychology works in the attackers' favor too. Users have been trained to trust content from major tech companies. A support guide on claude.ai feels official even when it isn't.
Known Indicators of Compromise
Push Security has published specific indicators that security teams can use to detect these attacks:
- Malicious Claude share URL: hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131
- Malicious ChatGPT share URL: hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d
- Malicious domain: openew[.]app
- Malware SHA256: de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78
What Organizations Can Do
Blocking shared chat URLs entirely isn't practical for most organizations. Employees legitimately share AI conversations for work purposes.
A more targeted approach involves monitoring for shared chat links that arrive via paid search ads. If an employee lands on a ChatGPT or Claude share link from a Google ad, that's suspicious. Legitimate shared chats typically come through direct messages, emails from known contacts, or internal documentation.
Security awareness training should also evolve. Employees need to understand that a trusted domain doesn't mean trusted content. Anyone can create a shared chat and put anything in it.
Terminal commands and app downloads can impact system performance and security

Logicity's Take
Frequently Asked Questions
Can I tell if a shared ChatGPT or Claude link is malicious?
Not easily. The links look identical to legitimate shared conversations. Be suspicious of any shared chat that asks you to download software, run Terminal commands, or enter credentials. Especially if you found it through a search ad.
Are OpenAI and Anthropic doing anything about this?
Neither company has announced specific countermeasures yet. The challenge is distinguishing between legitimate shared chats and malicious ones at scale, since the content itself determines the intent.
Should my company block shared AI chat links?
Blanket blocking isn't practical since shared chats have legitimate uses. Focus instead on monitoring how employees reach these links. Shared chats from search ads should raise red flags.
What malware is being distributed through these attacks?
Push Security has identified at least one specific malware sample (SHA256 hash provided in the article) linked to these campaigns. The malware typically arrives as a fake desktop app download.
Why don't antivirus tools catch these attacks?
The malicious instructions live on trusted domains that security tools don't block. The actual malware download happens separately, and by then the user has been socially engineered to trust the process.
Need Help Implementing This?
Source: The Decoder / Matthias Bastian
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
More in AI & Machine Learning
Bezos AI Lab Gets $10B: What Project Prometheus Means
Jeff Bezos is closing a $10 billion funding round for Project Prometheus, an AI lab focused on physics-based AI for manufacturing and engineering. With a $38 billion valuation and backing from JPMorgan and BlackRock, this signals a major shift in enterprise AI investment toward industrial applications.

Kimi K2.6 Open-Weight AI: 300 Agents at a Fraction of the Cost
Moonshot AI's Kimi K2.6 matches GPT-5.4 and Claude Opus 4.6 on coding benchmarks while running 300 parallel agents. For businesses locked into expensive API contracts, this open-weight model could slash AI infrastructure costs while delivering enterprise-grade automation.





