Threat actors abuse ChatGPT’s content sharing feature to display fake OpenAI takedown pages that direct users to download malware disguised as the ChatGPT desktop program.
The “LLMShare” campaign, discovered by Push Security, uses Google ads to direct users looking for ChatGPT to a malicious shared ChatGPT page hosted on chatgpt.com, allowing the attack to be delivered through the official OpenAI domain.
Users who click on the ad are taken to the official ChatGPT shared page, but instead of seeing a chat session, they are given a blackout notice saying that the web version is not available and that they should download the desktop app instead.
“We are experiencing heavy traffic at the moment,” read the fake road closure message.
“Our website is temporarily unavailable due to the large number of users. Download our desktop app to continue.”
Unlike phishing pages that are hosted on infrastructure controlled by the attackers, the fake outage notification is provided through ChatGPT itself.
The attackers created a custom HTML page using the rendering capabilities of ChatGPT and published it on a shared chatgpt.com/s/ link, which allows a fake termination notice to be displayed on the official ChatGPT URL.
Push Security noted that the page includes “Show Code” controls and “Recombine with ChatGPT” controls, which indicates that the fake termination notification is generated with custom HTML and CSS provided by the ChatGPT prompt.
When a visitor clicks the checkout button, they are brought to the website in opeew[.]an application that emulates the OpenAI desktop download portal.
Researchers say the site uses cloaking to show content only to targeted victims. When security platforms like URLScan visit the URL, they are shown the company’s harmless AR/VR website instead.
The website offers both macOS [VirusTotal] and Windows [VirusTotal] downloads that install malware on devices. While it’s not clear what payloads are used in the end, previous campaigns exploiting the platform’s AI sharing features have spread infostealers.
BleepingComputer testing of the Windows version on Any.Run found that it uses various commands to determine whether a device is a legitimate computer or a virtual machine.
Push Security also saw attacks exploiting Claude Artifacts, Anthropic’s feature for sharing apps and content, to host ClickFix-style decoys that tricked users into executing malicious commands.
The AI platform’s sharing features have been abused in the past to distribute malware to unsuspecting victims.
Earlier this year, malicious actors used Google ads to direct users looking for Claude’s downloads to Claude’s shared conversations that contained malicious installation instructions.
Other campaigns have abused the shared chats of ChatGPT and Grok that attacked ClickFix by masquerading as software installation guides that instruct victims to execute commands that install the malware.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls are blocking threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
