Attackers Abuse ChatGPT Share Links to Serve Fake Outage Pages and Deliver Malware

Threat actors are exploiting ChatGPT's built-in content-sharing feature to display counterfeit OpenAI outage notices that lure users into downloading malware disguised as a legitimate desktop application, according to research published by Push Security.

The campaign, which researchers have named "LLMShare," uses Google ads to steer users searching for ChatGPT toward a malicious shared page hosted on chatgpt.com—OpenAI's own domain—rather than on attacker-controlled infrastructure.

When a user clicks the sponsored advertisement, they land on a genuine ChatGPT shared page. Instead of a chat transcript, however, the page displays a fabricated outage notice. "We're experiencing high traffic right now," the fake message reads. "Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue."

The notice is not a traditional phishing page. The attackers built a custom HTML page using ChatGPT's rendering capabilities and published it through a shared chatgpt.com/s/ link, meaning the deceptive content appears under a legitimate OpenAI URL. Push Security noted that the page includes "Show code" and "Remix with ChatGPT" controls, revealing that the outage notice is generated from custom HTML and CSS rendered by a ChatGPT prompt.

Clicking the download button redirects visitors to a site at openew[.]app, which impersonates OpenAI's desktop application download portal. The site employs cloaking techniques to filter out security researchers: when platforms such as URLScan visited the URL, they were served a benign augmented and virtual reality company website. Targeted users, by contrast, are offered both macOS and Windows downloads that install malware on their devices.

The exact payloads deployed in LLMShare remain unclear, though earlier campaigns using similar techniques distributed infostealers. Testing of the Windows installer on the Any.Run sandbox showed the executable running various commands to determine whether the host machine is a genuine computer or a virtual environment.

Push Security also observed related attacks abusing Claude Artifacts, Anthropic's feature for sharing rendered applications and content. In those cases, ClickFix-style lures tricked users into manually executing malicious commands.

The LLMShare campaign is the latest in a series of operations that have turned AI platforms' content-sharing features into distribution channels for malware. Earlier this year, threat actors used Google ads to send users searching for Claude downloads to shared Claude conversations containing malicious installation instructions. Other campaigns abused shared ChatGPT and Grok conversations that posed as software installation guides, instructing victims to run commands that ultimately installed malware.

The common thread across all of these attacks is that adversaries are weaponizing the trust users extend to legitimate, well-known domains. Because the malicious content is hosted on chatgpt.com or claude.ai rather than an unknown site, standard domain-reputation checks offer limited protection.

As AI platforms continue to expand their content-sharing and rendering capabilities, security teams will need to develop controls that account for the possibility that trusted domains can themselves become delivery vectors—a challenge that grows more complex as the features enabling such attacks are also central to the utility of the tools themselves.