The LLMShare Campaign: How It Works

Threat actors have found a new way to weaponise AI platforms: they abuse ChatGPT's content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application. The campaign, dubbed LLMShare, was discovered by security researchers at Push Security and represents an evolution in phishing techniques that bypass traditional detection methods.

Unlike conventional phishing attacks that rely on attacker-controlled infrastructure, LLMShare operates from a legitimate OpenAI domain. The attackers create a custom HTML page using ChatGPT's rendering capabilities and publish it through a shared chatgpt.com/s/ link. The fake outage notice is displayed from a URL that begins with chatgpt.com — a domain that email filters, URL scanners, and security platforms are trained to trust.

Visitors who land on the page see a professional-looking outage message: "We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue." This message is rendered entirely within ChatGPT's own interface, complete with "Show code" and "Remix with ChatGPT" controls that reveal the underlying custom HTML and CSS.

The Infection Chain: From Google Ad to Malware

The attack follows a multi-stage infection chain designed to evade detection at every step:

Step 1: Malicious Google Advertising. Attackers purchase Google Ads that appear when users search for ChatGPT-related terms. These sponsored results appear at the top of Google Search, giving them visibility indistinguishable from legitimate ads.

Step 2: Redirect to Legitimate ChatGPT URL. Clicking the ad takes the user to a real ChatGPT shared page at chatgpt.com/s/.... Because the traffic arrives at a genuine OpenAI domain, most security scanners and URL reputation systems pass it without a second look.

Step 3: Rendered Fake Outage Notice. Instead of a normal ChatGPT conversation, the page displays the fake outage message. The browser URL bar shows chatgpt.com — a domain most users implicitly trust.

Step 4: Drive to Malicious Download. The fake outage page includes a prominent download button. Clicking it redirects the user to openew[.]app, a site that impersonates OpenAI's official desktop application download portal. This site offers both macOS and Windows downloads.

Step 5: Payload Delivery. The downloaded files install malware on the victim's device. BleepingComputer's analysis of the Windows variant confirmed that it executes various anti-analysis commands to determine whether the device is a legitimate computer or a virtual machine — a common evasion technique.

This campaign is particularly dangerous because the ChatGPT share link infrastructure provides a cloak of legitimacy that makes traditional phishing detection tools ineffective.

Claude Artifacts: The Same Technique, Expanded

Push Security also observed attacks abusing Claude Artifacts, Anthropic's feature for sharing rendered applications and content. These attacks host ClickFix-style lures that trick users into executing malicious commands.

Previous campaigns have abused shared ChatGPT and Grok conversations to deliver the AMOS infostealer on macOS. The Claude artifacts attack uses a similar pattern: Google Ads direct users to a publicly shared Claude artifact that appears to offer helpful guides for common tasks such as "online DNS resolver" or "macOS CLI disk space analyzer." Instead of safe instructions, users are prompted to paste a shell command into macOS Terminal. Researchers at Moonlock Lab and AdGuard documented over 10,000 users accessing these malicious Claude artifacts.

The shell command decodes and executes a malware loader that delivers the MacSync infostealer, which exfiltrates sensitive information from the victim's device — including browser-stored credentials, cryptocurrency wallets, and keychain data.

Why AI Platform Sharing Features Are a New Phishing Vector

AI content-sharing features present a unique challenge for security teams and end users for several reasons:

Trusted Infrastructure. Content served from chatgpt.com, claude.ai, or grok.com benefits from the reputation of some of the most visited domains on the internet. Email filters that would flag a suspicious link to an attacker-controlled domain routinely pass links to legitimate AI share pages.

Dynamic Content Renders at the Edge. Unlike static phishing pages that can be crawled and catalogued by URL scanning services, AI-shared content is generated dynamically. The content you see after clicking a ChatGPT share link is rendered by ChatGPT's own infrastructure, not by the attacker's server. This means conventional URL reputation systems cannot inspect the content before delivering it to the user.

Low Cost, High Scale. Creating a ChatGPT share link is free and takes minutes. Attackers can generate hundreds of share links, each targeting different search terms, and each link benefits from the full legitimacy of the OpenAI domain.

No Technical Exploitation Required. The LLMShare campaign does not exploit any vulnerability in ChatGPT or Claude. It uses the platforms exactly as designed — sharing user-generated rendered content. This makes it difficult for AI companies to block without restricting legitimate sharing functionality.

Three-Step Protocol for Avoiding AI-Platform Phishing

Step 1: Navigate directly, never through ads. If you want to download the ChatGPT desktop app, navigate directly to openai.com by typing the address in your browser. Never use Google search ads as a shortcut to download any application. This single habit eliminates the entry point for the entire attack chain.

Step 2: Verify the download domain. Even if a link takes you to chatgpt.com/s/xyz, that page can contain links to download sites on entirely different domains. Before downloading any file, check that you are on the software vendor's official domain. For ChatGPT, the official download is at openai.com/download or through official app stores.

Step 3: Never execute commands from AI conversations. If you open a shared ChatGPT conversation or Claude artifact that asks you to copy and paste a shell command into Terminal or Command Prompt, stop immediately. Legitimate software never requires you to run terminal commands from a web page. If you are unsure about the safety of instructions in an AI conversation, ask the AI directly: "Are these instructions safe to execute?" As Kaspersky researchers noted, asking this follow-up question in the same conversation reveals the malicious intent.

Password Security After AI-Platform Exposure

If you suspect you have downloaded malware from a campaign like LLMShare, your passwords may already be compromised. Infostealers like AMOS and MacSync target browser password stores, cryptocurrency wallets, and keychain data.

Follow these steps:

• Change all passwords immediately using a password manager with a CSPRNG-generated unique password for each site. See our guide on what to do after a phishing attack for the full response protocol.
• Enable phishing-resistant MFA on all critical accounts. Our MFA comparison guide explains which methods actually resist AiTM phishing.
• Run a full malware scan using a reputable antivirus solution — Windows Defender or Malwarebytes for Windows, Malwarebytes for macOS.
• Use a unique password generator like the Trusty Password Credential Guard to create strong, random passwords for every account. A unique password per account means one breach cannot cascade into multiple compromises.

Key Takeaways

The LLMShare campaign demonstrates that AI platform sharing features have become a legitimate phishing vector. Attackers are now using the trust that users place in ChatGPT, Claude, and Grok domains against them. The most effective defence is not technical — it is behavioural. Navigating directly to official websites, verifying download domains, and never executing commands from shared AI conversations remain the strongest protections.

As the NCSC and CISA continue to warn about evolving phishing threats, users must extend their security awareness to include AI platforms. The same principles that protect against traditional phishing — verify before you trust, navigate directly, use unique passwords — apply equally well when the attacker is using a ChatGPT share link as their weapon.

Frequently Asked Questions

What is the LLMShare phishing campaign?

The LLMShare campaign, discovered by Push Security, abuses ChatGPT's content-sharing feature to display fake OpenAI outage notices. These pages are hosted on legitimate chatgpt.com/s/ URLs and trick users into downloading malware disguised as the ChatGPT desktop application.

How do attackers get users to the fake ChatGPT pages?

Attackers purchase Google Ads that appear when users search for ChatGPT-related terms. Clicking these ads takes users to the malicious shared ChatGPT pages, bypassing traditional phishing filters because the traffic arrives at a legitimate OpenAI domain.

Can the malware be detected by antivirus software?

Early detection is possible but not guaranteed. The LLMShare campaign uses anti-analysis techniques including virtual machine detection and cloaking — the malicious download site only displays its true content to users it has validated as real targets, while showing an unrelated AR/VR company page to security scanners like URLScan.

Has the same technique been used on other AI platforms?

Yes. Push Security observed the same technique used on Claude Artifacts (Anthropic) for ClickFix-style attacks. Previous campaigns have also abused shared ChatGPT and Grok conversations to deliver the AMOS infostealer on macOS through fake software installation guides.

What is the single most effective defence against this type of attack?

Navigate directly to official websites by typing the URL yourself. Never click search ads or shared links to download software, and never execute shell commands from an AI conversation. These two habits independently prevent the vast majority of AI-platform phishing attacks regardless of how convincing the fake outage page appears.