How the LLMShare Campaign Hides Malware Behind ChatGPT and Claude's Own Domains
Researchers at Push Security have identified a live malvertising campaign dubbed “LLMShare” that abuses the content-sharing features of ChatGPT and Claude to host malware delivery pages on domains that every URL reputation system on the internet considers trustworthy.
The attack is actively generating detections, and the technique represents a meaningful shift in how threat actors are engineering their delivery chains.
How the Attack Works: A Fake Page Inside a Trusted URL
The campaign begins with a sponsored Google advertisement targeting users who search for terms like “chatgpt,” “chat gpt,” or common misspellings. Clicking the ad takes the victim not to an attacker-controlled website, but to a legitimate chatgpt.com/s/ URL, a shared content link on OpenAI’s own domain. What renders at that URL, however, is a professionally designed fake outage notice built entirely from custom HTML and CSS, rendered through ChatGPT’s own code output feature.
The fake notice tells visitors the web version of ChatGPT is unavailable due to high traffic and prompts them to download the desktop application instead. A download button on the page redirects users to openew[.]app, a convincing clone of OpenAI’s official download portal, complete with macOS and Windows download options, OpenAI branding, and a Chrome extension section. Both the macOS and Windows files delivered through this page have been flagged on VirusTotal as malware.
The site also employs cloaking. When automated scanning tools like URLScan visit the download URL, they are redirected to a generic AR/VR company website with no connection to ChatGPT. Only real users in a browser are shown the malicious download page. This selective rendering makes the infrastructure significantly harder for security teams and threat intelligence platforms to detect and shut down. The malware itself employs an additional layer of evasion: BleepingComputer’s analysis of the Windows payload found it executes commands to determine whether it is running on a real machine or inside a virtual machine, allowing it to avoid triggering sandbox-based detection systems.
The Claude Variant: Same Playbook, Different Platform
Alongside the ChatGPT-rendered-page variant, Push Security also detected attacks abusing shared Claude.ai conversations. These follow a pattern that was previously reported by BleepingComputer: a shared chat disguised as a “Claude Code on Mac” installation guide, falsely attributed to “Apple Support,” containing a curl command that downloads and executes malware when the victim pastes it into their terminal.
The fact that both ChatGPT and Claude variants are surfacing in the same wave of customer detections suggests a coordinated campaign, or at minimum a shared operational playbook, that is actively experimenting across platforms to identify which social engineering approach drives the highest conversion rate.
Part of a Broader Pattern of Legitimate Platform Abuse
LLMShare is part of a pattern that has become one of the defining characteristics of the 2026 threat landscape: attackers systematically abusing legitimate platforms as attack infrastructure.
The delivery chain for this campaign exploits the same fundamental dynamic seen in operations abusing Amazon SES for email authentication bypass, GitHub Pages for phishing hosting, and Microsoft’s own notification pipelines for credential harvesting. In every case, the platform is genuinely legitimate, and the controls designed to evaluate it confirm it as trusted because it is trusted.
What This Means for Your Organization
If your employees use ChatGPT or Claude, they are part of the target population for this campaign. The attack reaches victims through sponsored search results, meaning users do not need to click a suspicious link in an email or navigate to an unfamiliar domain. A routine web search for ChatGPT is a sufficient entry point. The resulting page is hosted on a domain those employees have been trained to trust, and it presents a scenario with no obvious indicators of compromise.
Security teams should treat AI platform domains with the same behavioral scrutiny applied to any other third-party content source. The domain being trustworthy does not make the content rendered on it safe. Employee awareness training should be updated to reflect that a URL beginning with chatgpt.com or claude.ai is not by itself a signal that the content is legitimate. Additionally, any executable downloaded from a ChatGPT or Claude shared page should be treated as suspicious, regardless of the explanation provided on screen.
Push Security's research notes that the malvertising ads driving traffic to these pages are likely geographically and temporally scoped, meaning they can be tightly targeted by role, location, or device type. This is not a spray-and-pray operation. It is precision delivery designed to reach specific user populations while remaining difficult for security teams to reproduce and analyze.
Indicators of Compromise and Next Steps
Push Security has published the following indicators observed at the time of their research. As with most modern phishing infrastructure, these are short-lived and liable to rotate, so detection strategies built on behavioral signals will outlast any specific IOC list.
- Malicious ChatGPT shared page URL: hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d.
- Malicious Claude shared page URL: hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131.
- Fake download domain: openew[.]app.
- Malware SHA256: de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78.
If any of these indicators appear in your environment, treat them as high-priority indicators requiring immediate investigation. Because these campaigns often rotate infrastructure rapidly, organizations should focus on validating user activity and endpoint behavior rather than relying solely on IOC matching.
More broadly, attacks like this demonstrate why domain reputation can no longer be treated as a primary trust signal. As threat actors increasingly abuse legitimate platforms to deliver malicious content, organizations must evaluate the behavior of content, downloads, and user interactions regardless of where they originate. Any executable delivered through a ChatGPT or Claude shared page should be treated as suspicious by default, no matter what the page says.
Sources: Push Security | Bleeping Computer
Is Your Organization Prepared for Attacks Like This?
When trusted domains become delivery vehicles and the attack surface shifts week to week, security teams need continuous visibility into how their defenses hold up against the techniques attackers are actually using. TrollEye Security’s Continuous Threat Exposure Management (CTEM) approach provides ongoing validation of exposures across your attack surface to ensure your organization is measuring real-world risk, not just theoretical vulnerability counts.
