top of page
perceptive_background_267k.jpg

ChatGPT share links abused to host fake outage pages to deliver malware

Published:

29 May 2026 at 18:21:36

Alert date:

29 May 2026 at 19:07:03

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Emerging Technologies, Ransomware & Malware, Web Technologies

Threat actors are exploiting ChatGPT's content-sharing feature to create fake OpenAI outage pages. These malicious pages direct users to download malware disguised as the legitimate ChatGPT desktop application. The attack leverages the trusted ChatGPT domain to bypass security filters and increase victim trust. Users visiting these fake outage pages are tricked into downloading and installing malicious software. This represents an abuse of legitimate AI platform features for malware distribution.

Technical details

The LLMShare campaign uses Google ads to direct users searching for ChatGPT to malicious shared ChatGPT pages hosted on legitimate chatgpt.com domains. Attackers create custom HTML pages using ChatGPT's rendering capabilities and publish them through shared chatgpt.com/s/ links. The fake outage notice is generated from custom HTML and CSS rendered by a ChatGPT prompt. Clicking the download button redirects to openew[.]app which impersonates OpenAI's desktop application download portal. The site uses cloaking to display content only to targeted victims, showing a harmless AR/VR company website to security platforms. The malware executes commands to determine if the device is a legitimate computer or virtual machine.

Mitigation steps:

Be cautious of Google ads claiming to be ChatGPT links. Verify ChatGPT outage notices through official OpenAI channels rather than downloading desktop applications from shared links. Be suspicious of shared ChatGPT links that display outage messages or request downloads. Only download ChatGPT applications from official OpenAI websites. Monitor for suspicious executions checking for virtual machine environments.

Affected products:

ChatGPT sharing feature
Claude Artifacts
OpenAI ChatGPT
Anthropic Claude
Google Ads
Windows systems
macOS systems

Related links:

http://pushsecurity.com/blog/llmshare-malvertising-campaign
https://www.virustotal.com/gui/file/7e5b708f6659b1fad3aae7b589a706434fbf21708aeec5af5910189b96e25fef
https://www.virustotal.com/gui/file/641526a22667a527290aac8c2c0358265d85c83318a7caca7cff28cecc2dbc16
https://app.any.run/tasks/4ba84dc2-df16-480c-b4e2-9b044a2b6009
https://www.bleepingcomputer.com/news/security/google-ads-for-shared-chatgpt-grok-guides-push-macos-infostealer-malware/
https://www.bleepingcomputer.com/news/security/claude-llm-artifacts-abused-to-push-mac-infostealers-in-clickfix-attack/

Related CVE's:

Related threat actors:

IOC's:

openew[.]app, chatgpt.com/s/ malicious shared links, Hash: 7e5b708f6659b1fad3aae7b589a706434fbf21708aeec5af5910189b96e25fef (macOS malware), Hash: 641526a22667a527290aac8c2c0358265d85c83318a7caca7cff28cecc2dbc16 (Windows malware)

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page