Hackers have found a way to turn one of ChatGPT’s own features against its users. A newly identified campaign is using ChatGPT’s content-sharing tool to display convincing fake outage pages, pushing visitors toward a fake ChatGPT download that installs infostealer malware on their devices. The attack is especially dangerous because it never leaves a legitimate OpenAI domain.
How the LLMShare Campaign Works
The campaign, named “LLMShare” by researchers at Push Security, starts with a sponsored Google ad. Attackers buy ad placements targeting searches like “ChatGPT,” “ChatGPT desktop app,” or “ChatGPT download.” Anyone clicking one of these ads lands on a real chatgpt.com share link — the kind of URL that ChatGPT generates when a user shares a conversation.
But there is no conversation on the page. Instead, visitors see a polished outage notice claiming the web version is temporarily down due to high traffic. The message tells them to download the desktop app to keep using ChatGPT. It looks entirely legitimate, because technically, it is hosted on a legitimate domain.
What makes this possible is ChatGPT’s code-rendering feature. Attackers craft a prompt that generates a fully designed fake outage page using custom HTML and CSS. The page renders inside the shared chat just like any other content. Researchers noted that the “Show code” and “Remix with ChatGPT” controls are visible on the page, which is how they confirmed the outage notice was built from a prompt rather than any official OpenAI system.
The Fake Download Portal
Clicking the download button takes the victim to a separate site, openew[.]app, which impersonates OpenAI’s official desktop application download page. The site offers both macOS and Windows versions of the fake app. Both deliver infostealer malware designed to harvest credentials, session tokens, and other sensitive data from the infected device.
The site also uses cloaking to avoid detection. When automated security scanners visit the URL, they are shown a harmless AR/VR company website. Only real visitors, identified as likely targets, see the fake ChatGPT download page. This lets the malicious site stay active longer without being flagged by URL reputation tools.
Why This Attack Is Hard to Spot
Most security advice tells people to check the URL before clicking anything. That advice fails here. The page victims land on is genuinely hosted at chatgpt.com. There are no typosquatted domains, no unusual characters, and no obvious red flags in the address bar. The domain is one that browsers, security tools, and users all treat as trusted by default.
Security tools are largely built to flag suspicious websites. When malicious content is hosted on a domain with a strong reputation, those tools often pass right through it. Push Security researchers noted that traditional trust signals are becoming less reliable as attackers get better at exploiting legitimate platforms to do their dirty work.
This also is not the first time the LLMShare technique has appeared. Earlier versions of the campaign used shared ChatGPT conversations to deliver the Atomic macOS Stealer (AMOS) through a different method — embedding fake instructions that told users to paste a terminal command to install software. Claude.ai has been targeted too, with shared conversations posing as Apple Support installation guides that led users through running malicious commands without realizing it.
A Broader Problem With Shared AI Content
What connects all these attacks is the abuse of a feature that AI platforms built to be helpful. Sharing conversations is a genuine and useful function. Attackers are simply exploiting the trust that comes with a well-known domain to bypass the defenses users and security teams rely on.
For everyday users, the key takeaway is simple. ChatGPT does not advertise through Google search results. If a sponsored ad is promoting a ChatGPT download or directing you to the platform, treat it with suspicion regardless of where the link appears to lead. OpenAI does not notify users about outages through shared chat links, and the real desktop application is only available through official OpenAI channels.
Final Thoughts
The LLMShare campaign is a reminder that the threat landscape moves alongside the tools people use every day. As AI platforms grow in popularity, they become more attractive as delivery mechanisms for attacks. A fake ChatGPT download page hosted on a real OpenAI domain is exactly the kind of attack that catches people off guard, because nothing about it looks wrong until it is too late. Staying safe means applying skepticism to AI platforms with the same discipline you would to any other online service, trusted domain or not.
