Threat actors have turned ChatGPT's own content-sharing feature into a malware delivery pipeline, hosting fake service disruption pages directly on chatgpt.com and routing victims there through paid Google search ads. Security firm Push Security disclosed the campaign — which it named LLMShare — on May 29, 2026, confirming it was still generating active detections at the time. Because the attack lands on OpenAI's own domain rather than an attacker-controlled site, it bypasses the URL-reputation checks, corporate firewalls, and personal caution that would stop a conventional phishing page.
The technique exploits a design feature — not a software vulnerability — in ChatGPT's sharing system, which means no patch from OpenAI can close it without changing how the product works. As of June 1, 2026, neither OpenAI nor Anthropic had issued a public statement addressing the abuse of their platforms' sharing features.
Fake Page Built Inside a Real One
ChatGPT allows users to share conversations through public links in the format chatgpt.com/s/[unique-id]. It also renders HTML and CSS code embedded in those shared pages, a feature designed for developers to preview web layouts. The attackers behind LLMShare used that rendering capability to build a pixel-perfect fake ChatGPT outage notice — complete with OpenAI branding, a polished error message, and a prominent download button — and published it as a standard share link.
Anyone who arrives at the link sees what appears to be a routine service disruption notice stating that ChatGPT's web version is "temporarily unavailable due to a large number of users" and directing them to download the desktop app. A "Show code" toggle at the top of the page reveals the illusion: the entire notice is custom HTML and CSS, not an official OpenAI system message. Most users never look for that toggle, according to Push Security researcher Keanu Maharaj, who authored the disclosure report.
Google Ads Route Victims to Trusted Domain
Getting victims to that page requires a separate investment: Google search ads. The attackers purchased sponsored placements targeting queries such as "ChatGPT," "ChatGPT desktop app," and "ChatGPT download" — high-volume searches from users simply trying to find or reinstall the tool.
When a user clicks one of those ads, the destination URL is a legitimate chatgpt.com/s/ address. Corporate web filters and firewalls that maintain allow-lists for AI productivity tools pass the traffic without inspection. Users who check the address bar before clicking see nothing unusual. Pete Luban, Field CISO at AttackIQ, described the mechanism to Cybernews: "A fake outage page sitting inside a real ChatGPT share link feels much more believable than a random phishing site, which lowers suspicion quickly."
Read more: Ghost CMS SQL Injection Hits 700 Sites: Harvard, DuckDuckGo Serve Fake Cloudflare Malware
Infostealer Payloads Tailored by Platform
Clicking the download button on the fake outage page redirects visitors to openew[.]app, a lookalike site designed to mimic OpenAI's official desktop application download portal. It displays OpenAI branding, macOS and Windows download buttons, a Chrome extension link, and a mobile download section.
Both Windows and macOS payloads have been confirmed. Malwarebytes, which documented a concurrent fake ChatGPT download campaign in late May 2026, identified the macOS payload in similar operations as Odyssey Stealer — a fork of the well-documented Atomic macOS Stealer that targets browser-saved passwords, cryptocurrency wallet data, and active session tokens, and attempts to replace legitimate Ledger and Trezor wallet applications with trojanized versions.
Push Security noted that the exact payload families for the LLMShare executables had not been definitively named as of the disclosure, though infostealer malware consistent with earlier campaigns is suspected. The malicious executables themselves are flagged by multiple security engines on VirusTotal.
Scanner Evasion Built In
The malicious download infrastructure at openew[.]app employs a conditional rendering technique specifically designed to defeat automated threat analysis. When Push Security researchers submitted the URL to URLScan, the scanner was redirected to a generic AR/VR company website with no connection to ChatGPT. Real users in a browser see the fake download page; automated analysis tools see something benign.
This cloaking approach is well-established in the malvertising ecosystem. Research firm Varonis exposed a platform called 1Campaign in February 2026 — a purpose-built cloaking tool that had been active for over three years and achieved blocking rates above 99% against security scanners. That the LLMShare campaign uses equivalent techniques places it within a mature, professional criminal ecosystem rather than an opportunistic experiment.
AI Platform Abuse Accelerates in 2026
LLMShare is the most technically refined entry in a line of attacks that has grown sharply since late 2025. Kaspersky documented a December 2025 campaign that planted ClickFix-style terminal commands inside shared ChatGPT conversations and drove victims to them through sponsored search results, generating more than 18,000 clicks across tracked domains within three days. A parallel February 2026 campaign abused Claude.ai Artifacts — Anthropic's feature for sharing rendered applications — to host fake Homebrew installation guides, hitting at least one confirmed government organization.
Push Security's own data shows that four in five ClickFix attacks now reach victims through search results rather than email, with campaigns often scoped tightly by geography and user type. The LLMShare technique adds a layer on top of that: the destination URL is a trusted AI platform domain rather than an attacker-controlled site, removing the last warning signal a careful user might have noticed.
Pillar Security's analysis of early 2026 found that AI-platform malvertising campaigns in the first 10 weeks of the year already exceeded the total number from all of 2025. Push Security's disclosure also noted that similar LLMShare variants appeared on Claude as well, where shared conversations disguised as "Apple Support" guides for installing Claude Code on Mac instructed users to run malicious terminal commands.
OpenAI and Anthropic Have Not Responded
As of June 1, 2026, neither OpenAI nor Anthropic had issued a public statement addressing the specific abuse of their content-sharing features in LLMShare or related campaigns. Neither company had announced technical changes to restrict HTML rendering in shared pages, limit the domains to which share-page download buttons can link, or add visual warnings distinguishing user-generated share content from official platform messages.
That silence has structural implications. ChatGPT had reached approximately 800 million weekly active users by early 2026, a population that enterprise security policies increasingly treat as a trusted productivity tool. IBM's X-Force 2026 Threat Intelligence Index found that over 300,000 ChatGPT credentials had already appeared on the dark web — harvested not from OpenAI's servers but from user devices compromised by infostealer malware. A successful LLMShare campaign feeds directly into that same credential-theft pipeline.
What Security Teams and Users Should Do
The structural problem LLMShare exposes is that corporate security controls treating AI tool domains as inherently trustworthy are no longer adequate. A URL that begins with chatgpt.com cannot, by itself, be treated as a trust signal. The content at a /s/ path is user-generated and may be attacker-controlled.
Security teams should audit URL-filtering allow-lists that grant blanket trust to AI platform domains and evaluate whether path-level inspection — distinguishing between chatgpt.com/ and chatgpt.com/s/[id] — is achievable in their environment. Endpoint detection tools remain important because the delivered executables are flagged by many antivirus engines. User awareness training should be updated explicitly to cover the possibility that malicious content may appear on well-known AI platforms, not only on suspicious-looking domains.
For individual users, the recommended steps are: avoid clicking sponsored search ads when looking for software downloads; navigate directly to chatgpt.com rather than using search results; treat any "outage" page that prompts a download with suspicion, since legitimate services do not redirect users to downloads during disruptions; and download desktop applications only from official vendor sites or authorized app stores.
Frequently Asked Questions
Is a chatgpt.com link always safe to click?
Not necessarily. ChatGPT's content-sharing feature allows any user to publish a link under the chatgpt.com domain, and that content is fully attacker-controlled. Push Security confirmed in May 2026 that threat actors were hosting convincing fake outage pages on legitimate chatgpt.com/s/ share URLs and driving victims there through paid Google ads. The domain is real; the content is not.
What is the LLMShare malware attack?
LLMShare is a technique named by Push Security in which attackers use AI chatbot platforms' content-sharing features — specifically ChatGPT's code-rendering capability — to host phishing pages on trusted domains such as chatgpt.com. Victims are directed to those pages through sponsored search ads. Clicking a download button on the fake page leads to a lookalike site that installs infostealer malware on both Windows and macOS devices.
What should I do if I downloaded a file from a fake ChatGPT page?
Run a full scan with an up-to-date endpoint security tool immediately. Change passwords for any accounts whose credentials may be stored in your browser, prioritizing financial accounts and cryptocurrency wallets. Revoke active session tokens for any services you are logged into, since infostealer payloads commonly harvest those alongside passwords. If the infected device is a work machine, notify your IT or security team right away, as the attacker may have gained a foothold into your organization's network.
How do attackers evade security scanners with this campaign?
The download site used in the LLMShare campaign employs cloaking: it displays the malicious fake ChatGPT download page to real users in a browser, but redirects automated security scanners to a harmless, unrelated website. This technique makes it significantly harder for threat intelligence services to catalogue the infrastructure and for security teams to flag it in advance.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
