LIVE THREATS
HIGH 2,000 AI-Built Apps Expose Corporate Data via Misconfigured Vibe-Coding Platforms // MEDIUM Anthropic Documents Sandbox Escape Risks and Credential Exfiltration Vectors in Claude … // HIGH ChatGPhish Exploit Turns ChatGPT Summarisation Into a Live Phishing Surface // HIGH LLMShare Campaign Weaponises ChatGPT Sharing Feature to Distribute Malware // MEDIUM Process-Level CAPTCHA Analysis Exposes Behavioural Fingerprints of AI Agents // HIGH Robinhood MCP Integration Grants AI Agents Autonomous Financial Trading Powers // HIGH Malicious npm Package Targets Claude AI Users via Supply Chain Attack // HIGH Multi-Agent LLM System Discovers 29 Zero-Day Vulnerabilities in Open-Source Projects // HIGH Russia-Linked GreyVibe Weaponises ChatGPT and Gemini Across Full Attack Lifecycle // HIGH Russian GreyVibe Group Weaponises ChatGPT and Gemini for Cyberespionage //
ATLAS OWASP HIGH Significant risk · Prioritise patching LLM Security Supply Chain Industry News RELEVANCE ▲ 7.5

LLMShare Campaign Weaponises ChatGPT Sharing Feature to Distribute Malware

SOURCE BleepingComputer ↗
TL;DR HIGH
  • What happened: Attackers use ChatGPT's share links to serve fake outage pages that deliver malware.
  • Who's at risk: General users searching for ChatGPT who trust legitimate chatgpt.com URLs and may download a fake desktop application.
  • Act now: Block or monitor downloads originating from chatgpt.com/s/ share links in enterprise environments · Educate users that OpenAI does not use outage notices to prompt application downloads · Verify software downloads exclusively through official, bookmarked OpenAI channels — not via search ads
LLMShare Campaign Weaponises ChatGPT Sharing Feature to Distribute Malware

Overview

A threat actor campaign dubbed LLMShare, identified by Push Security, is exploiting ChatGPT’s built-in content-sharing feature to host convincing fake service-outage pages from within the legitimate chatgpt.com domain. Users are funnelled to these pages via malicious Google advertisements targeting ChatGPT-related search queries, then prompted to download malware disguised as an official ChatGPT desktop application. The significance of this campaign lies in its abuse of trusted infrastructure: the phishing lure is served from OpenAI’s own domain, substantially undermining URL-based security controls.

Technical Analysis

The attack chain operates in four stages:

  1. Ad-based lure: Threat actors purchase Google ads targeting users searching for ChatGPT, directing clicks to a shared ChatGPT page at a chatgpt.com/s/ URL.
  2. Fake outage rendering: The shared page contains attacker-authored HTML and CSS rendered by ChatGPT’s own output engine. Visible “Show code” and “Remix with ChatGPT” controls confirm the content is generated via a crafted prompt — not a compromised OpenAI system. The rendered message falsely claims the web version is unavailable due to high traffic and urges users to download a desktop client.
  3. Cloaked download portal: Clicking the download button redirects to openew[.]app, an OpenAI impersonation site. The site employs cloaking: security scanners and crawlers are served a benign AR/VR company page, while targeted victims receive the malicious download portal.
  4. Payload delivery: Both macOS and Windows installers are offered. Sandbox analysis of the Windows binary shows it executes environment-fingerprinting commands consistent with virtual machine detection, a common infostealer evasion technique.

No confirmed payload family has been attributed, but prior campaigns exploiting AI platform sharing features have distributed credential-harvesting infostealers.

Framework Mapping

  • AML.T0047 (ML-Enabled Product or Service): The attack directly weaponises ChatGPT’s sharing and rendering capabilities as malicious delivery infrastructure.
  • AML.T0043 (Craft Adversarial Data): The attacker crafts a prompt specifically designed to produce deceptive HTML output that mimics a legitimate outage notice.
  • AML.T0015 (Evade ML Model): Cloaking techniques are used to evade automated security scanning, analogous to adversarial evasion of detection systems.
  • LLM02 (Insecure Output Handling): ChatGPT renders attacker-supplied HTML without preventing its use as a social-engineering lure on OpenAI’s own domain.
  • LLM09 (Overreliance): End users overrely on domain legitimacy (chatgpt.com) as a trust signal, failing to scrutinise page content.

Impact Assessment

The campaign targets a broad, non-technical user base actively seeking to use ChatGPT. The use of a legitimate OpenAI domain defeats URL reputation checks and browser-based phishing warnings. Enterprises relying on domain allowlists may inadvertently permit access to malicious share pages. If infostealer payloads are confirmed, affected organisations face credential theft, session hijacking, and downstream account compromise.

Mitigation & Recommendations

  • Block unknown downloads from chatgpt.com/s/ paths in corporate web proxy and DLP policies.
  • Deploy endpoint detection capable of identifying VM-evasion behaviours flagged during the Any.Run analysis.
  • User awareness training: Reinforce that legitimate services do not use outage banners to redirect users to downloadable installers.
  • Verify ChatGPT desktop downloads exclusively via openai.com official pages accessed through saved bookmarks, not search engine results.
  • Report abusive share links to OpenAI’s abuse reporting channel to accelerate takedown of malicious chatgpt.com/s/ pages.
  • OpenAI should consider sandboxing rendered HTML output in shared pages to prevent full DOM rendering of attacker-controlled markup.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.