Attackers are using real ChatGPT shared-content pages to make fake OpenAI app downloads look more trustworthy.
The LLMShare campaign, disclosed by Push Security on May 29, shows how malvertising can exploit legitimate AI platform URLs before redirecting users to attacker-controlled download sites. For enterprise security teams, the risk is not that OpenAI was breached, but that trusted domains can now host convincing social engineering lures that bypass simple domain-reputation checks.
How attackers used real ChatGPT URLs
OpenAI’s public documentation says ChatGPT shared links can make selected conversations viewable to anyone with the URL. Attackers used a separate chatgpt.com/s/ shared-content page to render custom HTML and CSS as a fake ChatGPT service notice.
The page displayed a fake high-traffic outage message urging visitors to download a desktop app. Push Security said the “Show code” and “Remix with ChatGPT” controls showed the notice was not an official OpenAI service alert.
Attackers used paid search ads to send users to the real chatgpt.com/s/ page before redirecting them to openew[.]app, an attacker-controlled site imitating OpenAI’s desktop app download page.
BleepingComputer reported that the fake download site used cloaking, showing real browser visitors the fake ChatGPT download page while serving tools such as URLScan a harmless-looking AR/VR company website. The site offered both macOS and Windows downloads, though the publication noted that the ultimate payloads were unclear in its analysis.
ThreatLocker separately cited Malwarebytes research identifying a concurrent fake ChatGPT download campaign that used Odyssey Stealer on macOS, but exact payload details should be tied to specific samples or researcher findings.
Why trusted AI pages create enterprise risk
The campaign exploits a common security shortcut: treating a trusted domain as a proxy for trusted content. In this case, the first-stage page sat on a legitimate OpenAI domain, while the download step moved users to attacker-controlled infrastructure.
There is no indication that OpenAI was breached. The risk is that attackers can stage social engineering content on domains users and security tools are conditioned to trust, a pattern also seen in ChatGPhish, a separate ChatGPT phishing technique.
The same playbook is not limited to ChatGPT. Push Security also observed shared Claude.ai conversations with fake installation guides that told users to paste terminal commands, while recent Gemini prompt-injection research showed another way AI tools can surface untrusted instructions.
For security teams, the practical issue is the browser-to-download handoff. Defenses should inspect redirects, download prompts, unsigned executables, newly seen destinations, and command-copy instructions, especially as automated and malicious traffic increasingly mimics normal browser behavior. ThreatLocker recommends application allowlisting, web content control, and privileged access management.
Employees should treat software-download prompts in shared AI pages or outage messages reached from search ads as suspicious. The safer path is the vendor’s official download page or an approved enterprise software portal.
Also read: Researchers built an AI-powered worm that adapts its attack path, showing how AI could make malware harder to predict