LLMShare: Attackers Host Malware on chatgpt.com via Shared Chats

Push Security has disclosed LLMShare, an active malware campaign that abuses ChatGPT's shared conversation feature (chatgpt.com/s/) to deliver credential-stealing malware from OpenAI's own domain. The attack uses Google Ads malvertising to drive victims to real chatgpt.com URLs — where attackers have used ChatGPT's rendering engine to construct fake service outage notices — before redirecting to a payload delivery site hosting the Odyssey Stealer for macOS and a ClickFix-family infostealer for Windows. Security scanners that trust chatgpt.com unconditionally miss the threat entirely. OpenAI has not issued a public statement or patched the shared content feature.

// 01 LLMShare: Technical Details

LLMShare (named by Push Security, who published their report on May 29, 2026) is an evolution of the "Living Off Trusted Sites" (LOTS) attack pattern — where attackers use legitimate, trusted services to host malicious content instead of building their own infrastructure. What makes LLMShare technically novel is the specific abuse vector: ChatGPT's shared conversation feature.

The chatgpt.com/s/ feature allows any ChatGPT user to generate a unique, publicly accessible URL for any conversation at chatgpt.com/s/[unique-id]. Anyone with the link can view the shared chat — no login required. These pages are served directly from ChatGPT's first-party domain and support rich rendering, including HTML, CSS, and code blocks generated by the AI.

The attack chain:

Stage 1 — Malvertising entry. Attackers purchase Google Ads targeting search terms including "ChatGPT," "ChatGPT free," "ChatGPT desktop app," and "ChatGPT download," as well as common typosquats like "chatgo" and "chatgot." When a user clicks the ad, they are directed to a real chatgpt.com/s/ URL — not a lookalike domain.

Stage 2 — Fake outage page on chatgpt.com. The destination is a shared ChatGPT conversation where the attacker used ChatGPT's code-rendering capability to generate a complete fake outage notice: "We're experiencing high traffic right now — the web version is unavailable. Please download the desktop app." Because the page is served from chatgpt.com, browser warnings, Safe Browsing databases, and URL scanners raise no alerts.

Stage 3 — Redirect to payload delivery. The fake outage page redirects to openew[.]app, an attacker-controlled site impersonating OpenAI's download portal. This site uses conditional rendering to evade detection: automated security scanners (e.g., URLScan, VirusTotal URL scanner) see a harmless AR/VR company website, while real browser users see a fake app download page.

Stage 4 — Malware delivery. The fake download site serves:

• macOS: ChatGpt.dmg (SHA-256: c0919e1999eaee67e67aeda0287722775afb04e9a9a0f727928b4d11265fb70b) — Odyssey Stealer, a fork of AMOS (Atomic macOS Stealer)
• Windows: Chat_GPT.exe (SHA-256: c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd634256fc53bf2de2d) — an InstallFix/ClickFix-family infostealer

Detection rate at analysis time: 9 of 69 antivirus engines. The malware checks whether it is running in a virtual machine before executing, making sandbox analysis difficult.

A second attack variant uses shared Claude.ai conversations disguised as an "Apple Support" guide for "Claude Code on Mac" installation, containing a curl command that downloads malware. This variant specifically targets developers who are accustomed to running installation commands from documentation.

// 02 Exploitation Status and Threat Landscape

The LLMShare campaign was active at time of reporting (May 29, 2026) and discovered across multiple Push Security customer environments. Google Ads malvertising delivery means no email security control, no phishing filter, and no SPF/DKIM check can block the entry point. The attack works entirely through the legitimate Google Ads ecosystem and OpenAI's own content infrastructure.

What Odyssey Stealer (macOS) does:

• Extracts macOS Keychain data (stored passwords, certificates, Wi-Fi credentials)
• Steals browser credentials from 12 Chromium-based browsers plus Firefox and Waterfox
• Exfiltrates Telegram session data
• Targets 16 cryptocurrency wallet directories (Ledger, Trezor, Exodus, and others)
• Downloads and installs trojanized versions of Ledger Live, Ledger Wallet, and Trezor Suite — replacing legitimate apps to intercept future crypto transactions
• C2 infrastructure: 188[.]137[.]246[.]189, 192[.]253[.]248[.]181, 172[.]94[.]9[.]250

The Odyssey Stealer is available as Malware-as-a-Service (MaaS) — rented to attackers for approximately $3,000/month paid in cryptocurrency, significantly lowering the barrier for less-skilled attackers to run LLMShare-style campaigns.

OpenAI's response: No official statement has been published. The chatgpt.com/s/ feature remains fully operational. Individual shared conversation links can be revoked by the user who created them, but this requires identifying the specific malicious link — not a scalable defense.

Push Security's broader finding: 4 out of 5 ClickFix attacks in 2026 now arrive via search results rather than email, marking a fundamental shift in malware delivery that renders email-centric security controls increasingly insufficient.

// 03 Who Is Affected

Any user who searches for ChatGPT-related terms in Google and clicks a paid search result could be directed to a LLMShare payload delivery chain. The campaign specifically targets:

• General users who don't have ChatGPT bookmarked and rely on Google search to reach the service
• New users searching for "ChatGPT desktop app" or "ChatGPT download" (which is not an official offering — this social engineering premise exploits confusion about ChatGPT's distribution)
• Developers, targeted through the Claude.ai variant with a fake "Claude Code on Mac" installation guide
• Cryptocurrency holders, as a specific high-value target given Odyssey Stealer's wallet-targeting capabilities

The threat is inherently cross-platform: the macOS payload deploys a sophisticated AMOS-family stealer optimized for macOS Keychain and crypto wallets; the Windows payload uses the ClickFix pattern targeting browser credentials. Both platforms are actively targeted simultaneously.

// 04 What You Should Do Right Now

• Install an ad blocker. uBlock Origin blocks the Google Ads entry point, which is the entire foundation of the LLMShare delivery chain. This is the single highest-impact control for this specific attack.

• Bookmark ChatGPT and other AI tools directly. Never navigate to ChatGPT by clicking a Google search result — type chatgpt.com directly or use a bookmark. OpenAI does not offer a desktop app for download through Google Ads.

• Never download software based on a ChatGPT conversation link. Real software installation guides from OpenAI come through official documentation at help.openai.com or openai.com, not through shared chat links at chatgpt.com/s/.

• For macOS users — check for Odyssey Stealer indicators. If you recently installed any "ChatGPT desktop app" from a non-official source, check for:

“`bash # Check for C2 traffic in network connections lsof -i | grep -E "188.137.246.|192.253.248.|172.94.9."

# Check Keychain access history in Console.app for unexpected entries # Check for trojanized Ledger/Trezor apps: ls -la /Applications/ | grep -iE "ledger|trezor|exodus" “`

• For Windows users — check for InstallFix indicators. Look for unexpected files in %APPDATA%LeronApplication and unexpected PowerShell processes:

“`powershell # Check for LeronApplication directory Test-Path "$env:APPDATALeronApplication"

# Check for processes spawned with unrestricted execution policy Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Message -like "ExecutionPolicyUnrestricted*"} | Select-Object -Last 20 “`

• Monitor for the known C2 IPs at your perimeter. Block egress traffic to 188[.]137[.]246[.]189, 192[.]253[.]248[.]181, and 172[.]94[.]9[.]250 in your firewall. Any internal host communicating with these IPs should be treated as potentially compromised.

// 05 Background: Understanding the Risk

LLMShare represents the maturation of a threat pattern that security teams have been watching develop since 2024: attackers systematically abusing legitimate, high-trust platforms to host malicious content, rendering traditional domain-reputation defenses obsolete.

Push Security has catalogued a growing list of campaigns that follow this "Living Off Trusted Sites" playbook: Operation HookedWing (GitHub Pages and Vercel, targeting 500+ organizations over 4 years), AccountDumpling (Google AppSheet email relay for phishing), Azure Blob Storage phishing (100+ unique subdomains), Ghost CMS exploitation (planting ClickFix pages on compromised Harvard and Oxford subdomains), and now LLMShare (ChatGPT and Claude.ai).

The underlying dynamic is simple and difficult to address: every time a legitimate platform adds a feature that allows user-generated content or redirects, it becomes a potential abuse vector for attackers willing to invest in understanding the feature. ChatGPT's shared conversation feature is extraordinarily convenient for legitimate users — and, as LLMShare demonstrates, equally convenient for hosting phishing lures that inherit the trust of chatgpt.com.

The developer-targeted Claude variant is particularly sophisticated: it exploits the normalized workflow of developers who regularly run installation commands from documentation without scrutinizing every step. A curl command in what appears to be an official "Claude Code" setup guide is exactly the kind of trusted-format content that bypasses a developer's usual skepticism. This is a meaningful escalation from generic "download this app" social engineering to targeted, context-aware attacks on technical users.

The MaaS model at $3,000/month for Odyssey Stealer access means LLMShare is not limited to sophisticated threat actors. Any attacker with a few thousand dollars and basic operational security can run this campaign with minimal technical skill. Combined with Google Ads' reach and targeting capabilities, the scale potential is significant.

// 06 Conclusion

LLMShare demonstrates that trusted AI platform domains are now active attack surfaces, not safe havens. An ad blocker is the most effective defense against this specific campaign. Never download software claimed to be "ChatGPT" or "Claude" from a search result or shared conversation link — navigate to chatgpt.com or claude.ai directly. If you recently installed anything from a chatgpt.com/s/ shared conversation link, treat it as a potential Odyssey Stealer or InstallFix compromise and check for the indicators above immediately.