ChatGPT Share Links Abused to Host Fake Outage Pages to Deliver Malware

A sophisticated malware campaign is using one of the most trusted domains on the internet — chatgpt.com — as its delivery infrastructure. The campaign, named LLMShare by the Push Security researchers who discovered it, exploits ChatGPT’s content-sharing feature to host pixel-perfect fake OpenAI outage pages that direct victims to download infostealer malware disguised as the legitimate ChatGPT desktop application.

Push Security confirmed active detections on 29 May 2026. The attack is delivered through Google ads targeting users who search for “ChatGPT,” directing them to a real chatgpt.com/s/ shared conversation URL — not a look-alike domain, not a typosquat, but the actual ChatGPT domain. Corporate firewalls, URL reputation filters, and browser safe-browsing systems see a legitimate OpenAI URL and wave it through.

LLMShare is a design-feature exploit rather than a software vulnerability. OpenAI cannot patch it without fundamentally changing how ChatGPT’s sharing system works. As of this writing, the fake outage pages are still accessible through the chatgpt.com/s/ sharing mechanism, and the attack pattern has been replicated across other AI platforms including Claude Artifacts and Grok shared conversations.

1. What Is LLMShare?

LLMShare is the name Push Security gave to the active campaign they discovered and publicly disclosed on 29 May 2026. It is a malvertising and social engineering campaign that exploits a fundamental characteristic of ChatGPT’s design: the ability for any user to create a shareable URL that renders arbitrary content — including custom-built HTML pages — on the legitimate chatgpt.com domain.

ChatGPT’s sharing feature works like this: users can click “Share” on any conversation, generating a public URL in the format chatgpt.com/s/[unique-id]. Anyone who visits that URL sees the shared conversation rendered through ChatGPT’s interface. The feature is designed for sharing helpful conversations, tutorials, and code examples.

LLMShare attackers subverted this feature by creating a conversation in which ChatGPT’s final response is a custom-rendered HTML page — a pixel-perfect fake OpenAI service outage notice — rather than a legitimate chat exchange. They then distributed the chatgpt.com/s/ link through paid Google advertising targeted at users searching for “ChatGPT,” “ChatGPT download,” and related queries.

The fake outage page reads: “We’re experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.” A prominent download button delivers a malicious installer rather than the ChatGPT desktop application.

2. How the Attack Works: Step by Step

Phase 1: Paid Search Ad Delivery

Attackers purchase Google Ads targeted at users searching for ChatGPT-related queries. The ad’s destination URL is a real chatgpt.com/s/ shared conversation link — not an attacker-controlled domain. Since the destination is a legitimate ChatGPT URL, Google’s ad policy review systems are less likely to flag it as malicious. The ad appears in search results above organic links, targeting users who are actively looking for ChatGPT (often because they have been directed to it for work or because their session has expired).

Phase 2: The Fake Outage Page on chatgpt.com

When the victim clicks the ad, they arrive at a genuine chatgpt.com/s/ URL. Instead of seeing a conversation, they see a professionally designed “service unavailable” page claiming the web version of ChatGPT is temporarily offline. The page is visually consistent with OpenAI’s design language — because it is rendered through ChatGPT’s own interface, using OpenAI’s actual CSS and design system.

The key technical detail: ChatGPT can render HTML content in its responses. Attackers exploited this capability to embed a complete, styled fake outage page as the “response” in a shared conversation. The rendering quality is high enough that users who land on this page through a Google ad — already expecting to use ChatGPT — do not register that something is wrong.

Phase 3: Malicious Download

The fake outage page presents a “Download Desktop App” button. Clicking this button triggers a download from attacker-controlled infrastructure (domains like openew[.]app have been identified in related campaigns). The downloaded file is a Windows or macOS installer that appears to be the ChatGPT desktop application but actually installs infostealer malware on the victim’s system.

Phase 4: Silent Credential and Session Theft

Once installed, the infostealer operates silently, harvesting browser-stored passwords, active session tokens (cookies), cryptocurrency wallet data, and application credentials. This data is exfiltrated to attacker-controlled servers, often within minutes of installation. The victim may never see any indication that malware was installed, particularly if the attacker’s payload avoids triggering Windows Defender or macOS Gatekeeper alerts.

3. The Malware Payload: What Gets Installed

Two infostealer malware families have been identified in connection with campaigns using this or closely related techniques in May–June 2026:

Odyssey Stealer (macOS)

Malwarebytes documented the macOS payload in concurrent operations as Odyssey Stealer, a fork of the well-documented Atomic macOS Stealer. Odyssey Stealer targets:

• Browser-saved passwords from Chrome, Firefox, Brave, Edge, and Safari
• Browser session cookies for all authenticated websites
• Cryptocurrency wallet data (seed phrases, private keys, wallet files)
• Active session tokens for SaaS applications
• Ledger and Trezor hardware wallet applications — replaced with trojanised versions that capture the seed phrase when the user connects their device
• macOS Keychain credentials

LummaC2 / Lumma Stealer (Windows)

Windows variants of the LLMShare campaign have delivered LummaC2, one of the most commercially widespread infostealer families in 2025–2026. LummaC2 features:

• Browser credential theft across all major Chromium and Gecko-based browsers
• Session cookie harvesting with particular focus on Google Workspace, Microsoft 365, and Slack sessions
• Cryptocurrency wallet targeting: MetaMask, Phantom, Coinbase Wallet, and 20+ additional wallets
• File collection of documents matching specific patterns (e.g., files named “seed,” “wallet,” “password,” “private key”)
• C2 communication encrypted and disguised as legitimate HTTPS traffic

The Stolen Data’s Journey

Stolen credentials from infostealer campaigns enter the criminal ecosystem rapidly. Credential bundles are typically available on underground Telegram channels and dark web marketplaces within hours of collection. Initial access brokers purchase these bundles and sell access to specific corporate accounts. Ransomware operators, business email compromise (BEC) actors, and cryptocurrency theft groups are the primary end buyers.

For a business that loses employee credentials to LLMShare, the downstream consequences can include: unauthorised access to corporate Microsoft 365 or Google Workspace accounts, ransomware deployment via compromised VPN or RDP credentials, financial fraud via BEC attacks, or cryptocurrency theft if any business wallets were present on the infected device.

4. Why It Bypasses Corporate Security Defences

LLMShare is significant not because of sophisticated malware — infostealers are a mature, well-studied threat category — but because the delivery mechanism bypasses essentially every URL-based defence in the typical enterprise security stack:

Web Proxy and URL Filtering

Corporate web proxies and URL filtering products (Zscaler, Palo Alto Prisma, Cisco Umbrella) categorise chatgpt.com as a legitimate, trusted AI platform. They will not block traffic to chatgpt.com/s/[anything] unless the organisation has explicitly blocked all of chatgpt.com (which most organisations have not done, as they permit or even encourage ChatGPT use). The malicious content is delivered through a URL that these systems are configured to trust.

Browser Safe Browsing

Google Safe Browsing and Microsoft SmartScreen maintain reputation databases of known malicious URLs. A chatgpt.com/s/ URL will not appear in these databases as malicious — it is a legitimate URL on a legitimate domain. The malicious content it renders is not indexed or evaluated by these reputation systems.

Email Security Gateways

If the chatgpt.com/s/ link were distributed via email (rather than Google ads, as in this campaign), email security gateways performing URL reputation checks and sandbox detonation would see the destination as chatgpt.com and likely pass it as safe.

Ad Network Policies

Google Ads policies prohibit malicious advertising, but the policy enforcement mechanism evaluates the advertised URL. The advertised URL in this campaign is a legitimate ChatGPT link — not an attacker domain. The malicious content is one click deeper, making automated policy enforcement substantially harder.

As Push Security’s analysis noted, “The key to this campaign is the reliance on user trust. A fake outage page sitting inside a real ChatGPT share link feels much more believable than a random phishing site, which lowers suspicion quickly. The user sees a trusted domain, a familiar product, and a plausible reason to download something.”

5. The Broader Pattern: AI Platforms as Attack Infrastructure

LLMShare is not an isolated technique. Push Security documented the same fundamental pattern across three major AI platforms in 2026 alone, and the campaign’s research shows that the technique is being actively scaled across the AI platform ecosystem:

Claude Artifacts (Anthropic)

Claude Artifacts, Anthropic’s feature for sharing rendered web applications built with Claude, has been used to host ClickFix-style malware lures. Attackers create shared artifacts that impersonate software installation guides and instruct users to copy-paste and execute malicious PowerShell or bash commands. The artifact is delivered from claude.ai, Anthropic’s domain, lending it institutional credibility.

Grok Shared Conversations (xAI)

Grok’s shared conversation feature has been used for social engineering scripts — shared conversations that impersonate IT support interactions and guide victims toward installing remote access tools or executing malicious commands. The Grok branding and xAI domain convey an authority that random phishing pages cannot replicate.

The Structural Problem

All of these attacks exploit the same structural characteristic: major AI platforms now serve as trusted content delivery systems for millions of users. The AI product’s domain carries significant reputational trust that security systems have been configured to extend. Anything rendered through that domain inherits the trust — including attacker-controlled content.

As Security Boulevard noted, “This is one example of a much broader pattern that has become one of the defining characteristics of the 2026 threat landscape: attackers systematically abusing legitimate platforms as attack infrastructure.” The evolution from malicious-domain-hosted lures to trusted-platform-hosted lures represents a meaningful capability upgrade for attackers, one that security infrastructure has not yet caught up with.

6. Real-World Impact: What Attackers Do With Stolen Sessions

Session cookie theft — the primary output of LLMShare’s infostealer payload — is particularly dangerous because it bypasses authentication entirely. An attacker who has stolen your active Google Workspace session cookie does not need your password or your MFA token. They authenticate as you, with your existing session, from their infrastructure.

The specific risks for businesses in Saudi Arabia and the GCC region include:

• Microsoft 365 account takeover — access to email, SharePoint files, Teams messages, OneDrive documents, and the ability to add attacker-controlled MFA devices to lock out the legitimate user
• Google Workspace compromise — Gmail, Drive, Docs, and Google Cloud console access if the organisation uses GCP
• ERP and business application access — session tokens for SAP, Oracle, Odoo, or other business applications that use browser-based authentication
• VPN and remote access systems — session tokens for Cisco Anyconnect, Palo Alto GlobalProtect, and similar systems that use web-based authentication flows
• Banking and payment portals — corporate banking sessions, Moyasar or PayTabs merchant accounts, or any financial platform authenticated through a browser
• ZATCA and government portals — Fatoora (e-invoicing), Qiwa (HR compliance), and other Saudi government digital services where business accounts are authenticated through browsers

7. How to Protect Your Organisation

Protection against LLMShare and similar campaigns requires a layered approach. No single control is sufficient because the attack has been deliberately designed to defeat single-layer URL-based defences.

Endpoint Protection

• Deploy modern EDR — Endpoint detection and response solutions with behavioural analysis can detect infostealer activity (registry reads, browser database access, network exfiltration) even if the initial payload is not signature-detected
• Application allowlisting — Prevent execution of downloaded executables that are not on an approved application list; this breaks the install phase of the campaign
• Block execution from Downloads folder — Many infostealers are executed directly from the browser download location; blocking exec from %USERPROFILE%\Downloads (Windows) or ~/Downloads (macOS) stops this class of attack

User Awareness

• Train users to navigate directly to chatgpt.com rather than clicking Google ads, particularly for productivity tools they use regularly
• Establish a clear rule: legitimate services never prompt you to download a desktop app when their website is experiencing issues. Service outages do not require you to download software
• Warn users that chatgpt.com/s/ links can show arbitrary content — a shared link from an unknown source is not equivalent to the official ChatGPT interface

Network Controls

• Consider restricting access to AI platform sharing URLs (chatgpt.com/s/) in corporate environments where the sharing feature is not required for business use
• Block known malicious download domains identified in threat intelligence feeds (e.g., openew[.]app and similar domains used in LLMShare campaigns)
• Monitor DNS queries for newly registered domains that pattern-match AI product names (chatgpt*, openai*, anthropic*, etc.)

Authentication Hardening

• Implement hardware security key (FIDO2) MFA for all critical business accounts — hardware key MFA is phishing-resistant and significantly harder to defeat even with stolen session cookies, because session binding and device attestation mechanisms make cookie replay more difficult
• Enable Google’s Device Bound Session Credentials (DBSC) for Chrome users — this feature, which became generally available in May 2026, cryptographically binds sessions to a specific device, making stolen session cookies unusable on attacker-controlled machines
• Configure short session lifetimes for critical applications — reducing the window during which a stolen session token remains valid

8. OpenAI’s Position and Platform Design Dilemma

As of 1 June 2026, neither OpenAI nor Anthropic had issued a public statement addressing the abuse of their sharing features. This silence reflects the genuinely difficult position these companies are in: the sharing feature being abused is not a software vulnerability. It is a designed capability — the ability to share rendered conversations with anyone via a URL — that attackers have found a way to weaponise.

Fixing LLMShare without breaking the sharing feature entirely requires OpenAI to make difficult product decisions. Potential mitigations they could implement include:

• Content scanning on shared pages — automatically scan shared conversations for HTML pages that impersonate OpenAI branding or service outage patterns
• Clear visual indicators on shared content — add persistent visual cues that distinguish shared user-generated content from official OpenAI interfaces
• Rate limiting and abuse detection on shared URLs — detect URLs that receive unusual traffic volumes from paid advertising and review them
• Restricting HTML rendering in shared conversations — limit the richness of HTML that can be rendered through the sharing mechanism

Each of these mitigations involves trade-offs that reduce the utility of the sharing feature. This is the fundamental tension: the feature that makes ChatGPT’s sharing powerful for legitimate users is the same feature that makes it powerful for attackers. Until OpenAI resolves this tension, the technique remains available to threat actors.

9. Frequently Asked Questions

Conclusion

LLMShare represents a meaningful evolution in malware delivery technique: the shift from attacker-controlled infrastructure to trusted-platform-hosted content. By exploiting ChatGPT’s content-sharing feature to deliver malware lures through the legitimate chatgpt.com domain, attackers have effectively neutralised the URL-reputation defences that form the backbone of most enterprise web security stacks.

The attack is ongoing, the technique is being replicated across other AI platforms, and there is no immediate fix available from OpenAI. For organisations in Saudi Arabia and globally, the appropriate response is to strengthen endpoint controls (EDR, application allowlisting), implement phishing-resistant MFA, enable DBSC where available, and run security awareness training that specifically addresses the threat of sponsored Google ads delivering malware through trusted AI platform domains.

The broader lesson is structural: as AI platforms become increasingly trusted content delivery systems for everyday work, attackers will systematically probe them for features that can be weaponised. Security policies and controls need to evolve at the same pace.