Threat actors have weaponized ChatGPT's content-sharing feature to serve fake OpenAI outage pages and trick users into downloading malware disguised as the ChatGPT desktop application. The campaign, named "LLMShare" by researchers at Push Security, uses Google Ads to funnel users to a malicious shared page hosted at a legitimate chatgpt.com/s/ URL — meaning the attack is delivered through OpenAI's own domain rather than attacker-controlled infrastructure. This domain legitimacy allows LLMShare to bypass many corporate URL blocklists and email security filters that block only known-malicious hosts.
// 01 ChatGPT Share Links Malware: How the Attack Works
ChatGPT's sharing feature allows users to publish a conversation as a public URL under chatgpt.com/s/<share_id>. When a recipient visits that URL, ChatGPT renders the shared conversation including any Markdown formatting, HTML elements, and images embedded in the original chat. The LLMShare campaign abuses this rendering capability to publish attack content on OpenAI's own domain.
The attack chain works as follows:
The attackers first constructed a fake outage notice using ChatGPT's own rendering capabilities, creating a custom HTML page that announces the web version of ChatGPT is temporarily down and instructs users to download the desktop application instead. They then published this page through ChatGPT's sharing feature, producing a valid chatgpt.com/s/ link. The fake outage content is rendered by OpenAI's own servers when anyone visits the link.
To drive traffic, the attackers purchased Google Ads targeting users searching for terms like "ChatGPT download," directing clicks to the chatgpt.com/s/ page. Because the landing URL is on chatgpt.com, many corporate proxy and security tools that check domain reputation classify the initial visit as safe — the malicious redirect is one click away, on a third-party domain.
Users who click the "Download Desktop App" button on the fake outage page are taken to openew[.]app, a domain that impersonates OpenAI's download portal. The site employs cloaking — a technique where the server detects automated visitors (such as URL scanning tools, security bots, or the URLScan.io crawler) and displays a harmless AR/VR company website to them while serving the malicious content to real human visitors. This cloaking prevents the malicious site from appearing in threat intelligence feeds and makes manual verification difficult.
// 02 Who Is Targeted and What Is Delivered
The LLMShare campaign primarily targets users searching for the ChatGPT desktop application — including employees at organizations that block the ChatGPT web interface, individuals trying to install ChatGPT for the first time, and users who encounter performance issues and search for an alternative access method.
The final payload delivered from openew[.]app is a malware installer disguised as the legitimate ChatGPT desktop application. The specific malware family has not been fully confirmed at publication time. Related campaigns tracked by Malwarebytes and Kaspersky targeting ChatGPT fake download sites have delivered AMOS (Atomic macOS Stealer — an infostealer targeting macOS users that exfiltrates browser credentials, crypto wallets, and files), and Windows-targeting RATs (Remote Access Trojans — malware that gives an attacker persistent remote control over an infected system).
// 03 Why ChatGPT Shared Links Are Dangerous as an Attack Vector
The LLMShare campaign exploits a fundamental design tension in AI platforms: features built for user productivity (content sharing, rich rendering) can be repurposed as attack delivery infrastructure. Several characteristics make ChatGPT shared links particularly well-suited to abuse:
Domain trust. chatgpt.com has extremely high reputation across all major threat intelligence platforms. Corporate firewalls and security tools that block unknown domains will pass traffic to chatgpt.com/s/ without inspection in most enterprise environments.
Content rendering. The shared conversation renderer executes Markdown, renders HTML elements, and displays embedded images — giving attackers a flexible templating surface to construct convincing fake UI elements within a trusted domain context.
No authentication to view. Shared links are publicly accessible without a ChatGPT account, making them suitable for wide distribution via advertising or email.
This attack vector is distinct from — but conceptually related to — the ChatGPhish vulnerability disclosed the same day by Permiso Security, which exploits ChatGPT's web summarization renderer to inject phishing links into assistant responses. Together, both research disclosures highlight the expanding attack surface created by AI platform features.
// 04 What You Should Do Right Now
- Block the IOC domain. Add
openew[.]appto your DNS blocklist, proxy blocklist, and EDR (Endpoint Detection and Response — security software that monitors endpoint activity) exclusion/block list. This is the active malware download domain in the confirmed LLMShare campaign. - Review proxy and firewall policies for
chatgpt.com/s/paths. Consider whether your organization needs to inspect or restrict access to ChatGPT shared links (chatgpt.com/s/) vs. the authenticated chat UI (chatgpt.com/c/). Logging rather than blocking may be appropriate in most environments, providing a detection signal without disrupting legitimate use. - Alert on unexpected ChatGPT installer downloads. OpenAI's official desktop application is distributed from
openai.comandcdn.openai.com, not from third-party domains. Any ChatGPT installer downloaded from an unrecognized domain should be treated as suspicious. - Educate users about AI platform impersonation. The targeting of users searching for AI tools reflects a broader pattern: as AI assistants become workplace staples, attackers will increasingly build lures around them. The same pattern was used against Midjourney, Gemini, and Grok in prior campaigns.
- Submit suspicious ChatGPT shared links to OpenAI. OpenAI accepts reports of abusive shared content at
https://openai.com/policies/usage-policies. Reporting malicious shared links causes them to be taken down, removing the chatgpt.com-hosted attack surface.
// 05 Background: Understanding the Risk
The LLMShare campaign represents a maturation of AI platform abuse as an attack vector. Earlier campaigns used AI-generated phishing text, AI-assisted malware coding, or fake AI tool websites on attacker-controlled domains. LLMShare advances the technique by hosting the initial lure on a platform-owned domain (chatgpt.com), reducing the attack surface available to defenders and increasing the credibility of the initial contact.
Kaspersky's research on the related AMOS infostealer campaign shows a similar pattern: attackers create shared ChatGPT conversations containing ClickFix-style (a social engineering technique that instructs users to run a command in their terminal under the pretense of fixing an error) instructions, then promote them via Google Ads. The underlying mechanism — trusted domain hosting attacker content — is the same.
For security teams, the LLMShare campaign is a reminder that domain reputation alone is not a sufficient control. Content rendered from trusted platforms must also be evaluated for what it asks users to do.
// 06 Conclusion
The LLMShare campaign demonstrates that ChatGPT's content-sharing feature can serve as attack delivery infrastructure when the platform renders attacker-crafted content under its own trusted domain. Organizations should block openew[.]app immediately, review ChatGPT access policies, and brief users on AI platform impersonation tactics. OpenAI should consider additional controls on what shared conversations can render.
For any query contact us at contact@cipherssecurity.com