Hackers Are Weaponizing ChatGPT's Own Domain to Deliver Malware — Here's What Your Business Needs to Know

Your web filters trust OpenAI's domain. That's exactly what attackers are counting on.

A newly identified campaign called LLMShare is exploiting ChatGPT's built-in content-sharing feature to serve convincing fake outage pages — hosted directly on chatgpt.com — that trick employees into downloading malware disguised as the official ChatGPT desktop application. Discovered by researchers at Push Security and first reported on May 29, 2026, the attack is still generating live detections across enterprise environments.

This isn't a hypothetical. It's happening right now, and it's targeting the kind of businesses InfoSight serves every day.

What Is the LLMShare Attack — and Why Is It So Dangerous?
The LLMShare campaign works by exploiting a legitimate feature of ChatGPT: the ability to share conversations via public links in the format chatgpt.com/s/[unique-id]. When those links are opened, ChatGPT renders any HTML and CSS code embedded in the conversation — a capability originally designed so developers could preview web layouts.

Attackers figured out how to use this to their advantage.
Here's the attack chain, step by step:

A malicious Google ad appears when a user searches for "ChatGPT download" or similar terms.

The ad leads to a legitimate ChatGPT shared page — hosted on OpenAI's own domain, chatgpt.com.

Instead of a conversation, the user sees a professionally rendered fake outage notice that reads: "We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue."

The user, trusting the OpenAI domain, clicks the download button and is sent to a lookalike site at openew[.]app.

The site delivers malicious installers for both Windows and macOS — likely infostealer variants designed to harvest credentials, session tokens, and sensitive data.

What makes this particularly insidious is the cloaking layer. When security scanning tools like URLScan visit the malicious download site, they see a harmless AR/VR company website — not the fake ChatGPT portal. The malicious content is only shown to real, targeted victims. The Windows payload even checks for virtual machine environments, a clear sign of mature, evasion-aware malware.

Why Traditional Web Filters Won't Save You
This is the core problem: the attack is delivered from a legitimate domain your organization probably trusts.

Corporate firewalls and web filters are designed to block known-bad URLs and suspicious domains. When the initial malicious link resolves to chatgpt.com — a domain your security stack almost certainly allowlists — the attacker has already bypassed your first line of defense.

This isn't a flaw that OpenAI can patch quickly. The technique exploits a design feature, not a software vulnerability. ChatGPT's sharing system renders HTML and CSS by design. Changing that would fundamentally alter how the product works.

As of the time of publication, neither OpenAI nor Anthropic had issued a public statement addressing the abuse of their platforms' sharing features.

This Isn't an Isolated Incident — AI Platforms Are a Growing Attack Surface

LLMShare is part of a broader, accelerating trend. Threat actors have increasingly turned AI platforms' sharing and collaboration features into malware delivery infrastructure.

Earlier in 2026, attackers used Google ads to redirect users searching for Claude downloads to shared Claude conversations containing malicious installation instructions.

Separate campaigns abused shared ChatGPT and Grok conversations to conduct ClickFix attacks — impersonating software installation guides that instructed victims to execute commands that installed malware.

The pattern is consistent: attackers borrow the credibility of a trusted AI brand, use that platform's own sharing tools to host the content, and rely on users' habit of trusting familiar domains.

Who Is Most at Risk?
Any organization where employees regularly use AI tools — particularly those who may download software without going through IT — is vulnerable. That said, certain sectors face elevated exposure:

Financial Services: High-value credential targets; employees frequently use AI tools for productivity.

Healthcare: Sensitive patient and operational data make infostealers especially damaging.

Manufacturing: OT/IT convergence means a single compromised endpoint can have operational consequences far beyond the initial infection.

What You Can Do Right Now: 5 Protective Steps

1. Audit Your AI Platform Allow-Lists
Blanket trust of chatgpt.com, claude.ai, or similar domains is no longer sufficient. Work with your security team to ensure that traffic to AI platforms is logged and that unusual download activity from these domains triggers an alert.

2. Block Unapproved Software Downloads at the Endpoint
Endpoint controls should prevent the installation of software that hasn't been vetted by IT. Policies that flag or block executables downloaded from AI-adjacent domains are a practical first step.

3. Conduct Targeted Security Awareness Training
Employees need to know that a page can look official — including the URL — and still be malicious. Train your staff specifically on AI-based social engineering, not just generic phishing. Show them what a fake outage page looks like.

4. Verify Downloads Through Official Channels Only
Establish a clear policy: ChatGPT, any AI desktop application, or productivity software should only be downloaded from the vendor's official homepage — never from a link in a search ad or a shared conversation.

5. Review Your Detection Rules for Infostealer Behavior
LLMShare-delivered payloads behave like infostealers: they query the registry for installed security software, check for VM environments, and harvest browser-stored credentials. Make sure your EDR and SIEM rules are tuned to flag this behavior, especially from processes spawned by newly downloaded executables.

The Bottom Line for Enterprise Security Leaders
The LLMShare campaign is a signal, not an outlier. As AI tools become embedded in day-to-day business operations, they also become embedded in the attack surface. Threat actors are not waiting for AI platforms to be secure — they're adapting faster than most organizations are updating their defenses.

Trusted domains are no longer safe domains. The question isn't whether your employees will encounter AI-based social engineering — it's whether your organization is prepared when they do.

InfoSight helps mid-to-large enterprises in manufacturing, financial services, and healthcare get ahead of emerging threats before they become incidents. Our team specializes in security assessments, identity and access management, and proactive threat intelligence tailored to your industry.