Hackers Hide Malware Inside Real ChatGPT.com Share Links

The malicious link starts on a domain everyone trusts—chatgpt.com itself. That is what makes LLMShare a defensive nightmare. Web filters that block "suspicious newly registered domains" wave the URL through because it is OpenAI's. The browser address bar shows the green padlock. The phishing payload is the conversation content, not the page itself, and ChatGPT shared links faithfully render whatever HTML and CSS the original conversation produced. By the time the user reaches the fake download button, every browser signal says they are safe.

Key Takeaways

• Push Security published the LLMShare campaign disclosure on May 29, 2026, documenting attackers hosting fake OpenAI outage pages on real chatgpt.com/s/ shared conversation URLs.
• Victims arrive via Google ads keyed to ChatGPT search terms; the ad's destination is the real ChatGPT shared link, so URL-based reputation defenses see a trusted domain.
• The shared conversation renders custom HTML and CSS that mimics OpenAI's site, then presents a fake outage message: "We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue."
• The download button routes users to openew[.]app, which uses cloaking technology to deliver platform-specific installers for both Windows and macOS; the Windows binary executes VM detection commands to evade sandbox analysis.
• Push Security has previously documented near-identical campaigns abusing Claude Artifacts and shared Grok conversations, indicating that "trusted AI domain hosting attacker content" is now a recurring delivery pattern.

How Does LLMShare Actually Work?

The attack chain has five stages, all crafted to keep the user on legitimate infrastructure for as long as possible:

1. Google Ads malvertising. The attacker buys ad placements against keywords like "ChatGPT," "ChatGPT download," and "ChatGPT desktop app." Google's ad system displays the ad in the sponsored results above legitimate openai.com links.
2. Click lands on a real ChatGPT share URL. The ad destination is a chatgpt.com/s/<id> URL—a real ChatGPT shared conversation that the attacker created themselves by asking ChatGPT to produce HTML mimicking an outage page.
3. Rendered HTML payload. ChatGPT renders the conversation contents faithfully, including a full-page outage banner styled to look like an OpenAI maintenance message and a prominent "Download desktop app" button.
4. Redirect to openew[.]app. Clicking the button leaves chatgpt.com for openew[.]app, an attacker-controlled domain designed to look like an OpenAI download portal.
5. Platform-specific installer. openew[.]app fingerprints the visitor's operating system and serves a Windows .exe or a macOS .dmg. Both contain an infostealer; the Windows variant runs VM detection commands to avoid executing inside sandboxes that security researchers use.

According to BleepingComputer's coverage of the Push Security analysis, the only moment where a defender has an obvious cue is the final redirect to openew[.]app—everything before that is on trusted infrastructure.

Why Are ChatGPT Share Links Dangerous in the First Place?

ChatGPT's share feature was designed to make conversations referenceable. You ask the model something useful, you click Share, and you get a URL anyone can open to see the same conversation. The product is unequivocally useful—it is how researchers, journalists, and engineers point each other at noteworthy outputs. The problem is that the conversation contents can include arbitrary HTML and CSS, because ChatGPT's text-to-render pipeline does not strip styling or layout markup the way a typical paste-into-the-web-app text editor would.

That means an attacker can construct a conversation whose final assistant turn is a full pixel-perfect impersonation of any web page they choose. The visual fidelity is high enough that a hurried user—someone who clicked a sponsored Google result for "ChatGPT" because their session timed out—will not register the distinction between "this is ChatGPT showing me OpenAI's outage page" and "this is OpenAI's outage page."

Push Security has documented the same pattern in three AI products in 2026 alone: Claude Artifacts hosting ClickFix-style malware lures, shared Grok conversations running social engineering scripts, and now ChatGPT share links delivering LLMShare. The defense gap is universal—any AI product that lets users render arbitrary HTML to other users has just become a content delivery network for whatever the attacker can write.

What Should Defenders Block Today?

For SOC teams and IT administrators, three immediate controls reduce LLMShare exposure:

• Block openew[.]app at the DNS and web proxy layer. The domain is the only attacker-controlled choke point in the chain; everything upstream of it is on chatgpt.com.
• Add detections for executable downloads originating from chatgpt.com referrers. ChatGPT itself does not distribute desktop installers from its share URLs—any download that claims to is malicious by definition.
• Tighten Google Ads link policy in your security awareness training. The campaign relies entirely on the sponsored result being clicked instead of the organic result. Users who reach openai.com by typing the URL directly never see LLMShare.

If your environment uses AI tools heavily, the policy decision worth making explicit is whether shared AI conversation URLs from external sources should ever be opened in a browser that has access to corporate credentials. Push Security's documented attack chain works because the same browser holds both the malicious render surface and the credential store the infostealer will eventually exfiltrate. Browser isolation for shared AI links is the cleanest mitigation.

How Does This Compare to Earlier ChatGPT Abuse?

LLMShare is the third major ChatGPT abuse campaign that Push Security has documented in 2026. The first was the prompt injection class described in our coverage of ChatGPhish, Permiso's markdown rendering phishing technique, in which a web page could phish a user through ChatGPT. The second was ChatGPT DNS exfiltration, where Check Point researchers showed how an attacker could exfiltrate data using ChatGPT's network egress. LLMShare is the third pattern: the AI product as a hosting platform for traditional malvertising.

All three campaigns share a structural insight. AI products are now sufficiently trusted by users, by web filters, and by ad networks that the same techniques that worked through "newly registered domain" delivery in 2018 are starting to work through "trusted AI domain hosts attacker content" delivery in 2026. The blast radius is also wider, because the AI product surface area includes hundreds of millions of users who already trust it enough to paste sensitive information into it.

What Should ChatGPT Users Do?

For end users:

1. Bookmark openai.com and chatgpt.com directly. Never reach the products through a Google search or sponsored ad result. Malvertising for "ChatGPT" has been documented continuously for at least two years.
2. Treat any "download the desktop app" prompt on a chatgpt.com/s/ URL as malicious. The legitimate ChatGPT desktop application is distributed only through openai.com directly and through the platform app stores.
3. Watch your inbox. If you ever entered an email address into a malicious LLMShare lure, the operator now has a verified live address paired with intent ("interested in ChatGPT downloads") and will follow up with phishing emails carrying tracking pixels. Gblock blocks the invisible tracking pixels in Gmail so an attacker cannot confirm the address is live and cannot tune their next lure based on whether you opened it.

The Pattern Is Spreading

Push Security's three published campaigns this year point at a generalizable problem. Any platform that combines (a) a high-trust domain, (b) user-generated content that can include HTML/CSS, and (c) shareable URLs has the same vulnerability surface that ChatGPT does. That set already includes Notion, Google Sites, GitHub Pages, Medium, Substack, and every major AI vendor's share feature. The defensive question for the next twelve months is not "how do we block bad domains" but "how do we treat trusted domains as untrusted when the content they host is user-generated."