Threat actors are abusing ChatGPT’s content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application.
The “LLMShare” campaign, discovered by Push Security, uses Google ads to direct users searching for ChatGPT to a malicious shared ChatGPT page hosted on chatgpt.com, allowing the attack to be delivered through a legitimate OpenAI domain.
Users who click the advertisement are taken to a legitimate ChatGPT shared page, but instead of seeing a chat conversation, they are presented with a rendered outage notice claiming the web version is unavailable and that they should download the desktop application instead.
“We’re experiencing high traffic right now,” reads the fake outage message.
“Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.”
Unlike traditional phishing pages hosted on attacker-controlled infrastructure, the fake outage notice is rendered through ChatGPT itself.
The attackers created a custom HTML page using ChatGPT’s rendering capabilities and published it through a shared chatgpt.com/s/ link, allowing the fake outage notice to be displayed from a legitimate ChatGPT URL.
Push Security noted that the page includes “Show code” and “Remix with ChatGPT” controls, revealing that the fake outage notice is actually generated from custom HTML and CSS rendered by a ChatGPT prompt.
If the visitor clicks on the download button, they are brought to a website at openew[.]app that impersonates OpenAI’s desktop application download portal.
The researchers say the site uses cloaking to display content only to targeted victims. When security platforms like URLScan visited the URL, they were shown a harmless AR/VR company website instead.
The website offers both macOS [VirusTotal] and Windows [VirusTotal] downloads that install malware on devices. While it is unclear what payloads are ultimately deployed, earlier campaigns abusing AI platform sharing features have distributed infostealers.
BleepingComputer’s test of the Windows version on Any.Run found that it executes various commands to determine whether the device is a legitimate computer or a virtual machine.
Push Security also observed attacks abusing Claude Artifacts, Anthropic’s feature for sharing rendered applications and content, to host ClickFix-style lures that tricked users into executing malicious commands.
AI platforms’ sharing features have been abused in the past to distribute malware to unsuspecting victims.
Earlier this year, threat actors used Google advertisements to direct users searching for Claude downloads to shared Claude conversations containing malicious installation instructions.
Other campaigns abused shared ChatGPT and Grok conversations that conducted ClickFix attacks by impersonating software installation guides that instructed victims to execute commands that installed malware.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
