Back

Malware Delivered via ChatGPT Links in New Cyber Attack Campaign

Severity: High (Score: 64.5)

Sources: Philiphall, Bleepingcomputer, www.virustotal.com, Neowin, pushsecurity.com

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: chatgpt, malware, pages, host, fake, outage, feature

Severity indicators: malware, outage

Summary

Threat actors are exploiting ChatGPT's content-sharing feature to deliver malware through a campaign dubbed 'LLMShare.' This attack involves creating fake outage pages on the legitimate chatgpt.com domain, tricking users into downloading malicious software disguised as the ChatGPT desktop application. Google ads are used to lure victims searching for ChatGPT, leading them to these fraudulent pages. Once on the site, users see a fake message about high traffic and are prompted to download the malware. The malicious downloads target both Windows and macOS systems, with the Windows version executing commands to check for security software. The attackers utilize cloaking techniques to hide the true nature of the site from automated security tools. The campaign highlights a significant risk associated with the misuse of AI platform features for malicious purposes. Key Points: • Threat actors exploit ChatGPT's sharing feature to host fake outage pages. • Malware is delivered through Google ads targeting ChatGPT-related searches. • The campaign uses cloaking techniques to evade detection by security tools.

Detailed Analysis

**Impact** Users searching for ChatGPT-related downloads globally are targeted, with both Windows and macOS platforms affected. The campaign risks credential theft and sensitive data compromise via infostealer malware such as Odyssey Stealer. Business operations may be disrupted by malware infections, particularly for organizations relying on OpenAI services or employees seeking ChatGPT desktop applications. No specific sector or geographic concentration beyond general internet users was reported. **Technical Details** The attack abuses ChatGPT’s content-sharing feature to host fake outage pages on legitimate chatgpt.com URLs, delivered via Google Ads targeting ChatGPT-related search terms. Victims are redirected to openew[.]app, a cloaked site impersonating OpenAI’s desktop app download portal, distributing malware that performs environment checks to evade sandbox detection. Payloads include infostealers for Windows and macOS, with reconnaissance and execution phases observed. No CVEs or zero-days were mentioned. Indicators include URLs with chatgpt.com/s/ links and the domain openew[.]app. **Recommended Response** Block and monitor access to openew[.]app and suspicious chatgpt.com/s/ URLs using web filtering and firewall rules despite domain legitimacy. Educate users to avoid downloading software from unofficial sources and verify official OpenAI channels. Deploy endpoint detection for infostealer behaviors and sandbox evasion techniques. Monitor Google Ads for malicious campaigns targeting ChatGPT-related keywords. No patches are available; focus on detection and user awareness.

Source articles (6)

  • Scammers Are Now Hosting Malware on chatgpt.com. Yes, the Real One. — Philiphall · 2026-05-29
    Attackers are using ChatGPT's own content sharing feature to host malicious pages on chatgpt.com, tricking users into downloading malware through Google Ads. The LLMShare campaign exploits the very do…
  • ChatGPT share links abused to host fake outage pages to deliver malware — Bleepingcomputer · 2026-05-29
    Threat actors are abusing ChatGPT's content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application. The "LLMShare" campa…
  • Hackers are now using ChatGPT share links to deliver malware — Neowin · 2026-05-29
    Researchers at Push Security have identified a new campaign by threat actors that delivers infostealer malware through legitimate domains, tagged "LLMShare." Basically, "LLMShare" works by abusing the…
  • Push Security — pushsecurity.com · 2026-05-29
  • VirusTotal — www.virustotal.com · 2026-05-29
  • VirusTotal — www.virustotal.com · 2026-05-29

Timeline

  • 2026-05-29 — LLMShare campaign identified: Push Security discovered a campaign using ChatGPT's features to deliver malware via fake outage pages.
  • 2026-05-29 — Google ads used for malicious redirection: Attackers employed Google ads to direct users searching for ChatGPT to malicious links on chatgpt.com.
  • 2026-05-29 — Malware targets Windows and macOS: The downloaded malware includes infostealers and is designed to evade detection by checking for security software.

Related entities

  • Greyvibe (Apt Group)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • LLMShare (Campaign)
  • LLMShare Campaign (Campaign)
  • PhantomClick (Campaign)
  • PhantomMail (Campaign)
  • PrincessClub (Campaign)
  • chatgpt.com (Domain)
  • openew.app (Domain)
  • Government (Industry)
  • Odyssey Stealer (Malware)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • ChatGPT (Platform)
  • Google Ads (Platform)
  • MacOS (Platform)
  • Windows (Platform)
  • Claude (Tool)
  • Grok (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed