Summarize with:

Share
Push Security disclosed a live campaign it tracks as LLMShare, where attackers abuse shared content features on ChatGPT and Claude to stage malware delivery on domains users and security tools already trust. The campaign begins with malvertising and SEO poisoning, pushes victims onto chatgpt.com or claude.ai shared pages, and then redirects them toward a malicious payload path that looks legitimate at every step.
The important shift is structural. Traditional controls such as domain reputation, basic URL Filtering, and casual user URL checks are less effective when the first-stage landing page is genuinely hosted on a trusted AI platform. For defenders, this is another reminder that modern phishing campaigns increasingly abuse legitimate platforms instead of disposable attacker-owned infrastructure.
According to Push Security's May 29, 2026 report, attackers are using search-engine ads and poisoned search results to capture users looking for ChatGPT-related downloads, free access, or common misspellings. Push says it observed searches such as chatgpt, chatgpt free, chat gpt, chatgo, chatgot, and cvhatgpt leading to shared AI content pages.
The campaign uses two related variants:
chatgpt.com/s/ shared URLclaude.ai conversation disguised as installation guidance, including a malicious curl commandPush characterizes the technique as part of the broader ClickFix family, specifically an InstallFix style of attack where victims are guided into downloading or executing attacker-controlled content under the pretense of solving a normal software problem.
The first stage is not email. Push says search remains a dominant malware delivery channel and that, in its own data, ClickFix attacks are reached through search results rather than email in 4 out of 5 cases.
Instead of sending victims directly to an obviously suspicious domain, the campaign routes them to pages hosted on chatgpt.com or claude.ai. This is the core evasion advantage: the landing URL inherits the trust of a legitimate platform.
In the ChatGPT variant, the attacker used rendered HTML and CSS inside a shared ChatGPT page to mimic a genuine "high traffic" or service disruption notice. The page tells the user to download the desktop app to continue.
This makes the attack more dangerous than a simple fake chat transcript. The user is no longer reading obviously odd Social Engineering instructions to paste terminal commands. They are interacting with what appears to be a normal product message inside a real ChatGPT page.
Clicking the download button leads to openew[.]app, which Push says impersonates the real ChatGPT download page with OpenAI branding, platform-specific download buttons, and a convincing layout.
Push reports that the infrastructure used conditional rendering. Real browser users saw the fake ChatGPT download flow, while URLScan was shown a benign AR/VR company site. That kind of split behavior complicates static scanning and weakens IOC-only workflows.
The downloaded executable posed as "ChatGPT for Desktop" and was flagged on VirusTotal, according to Push. In the Claude variant, the user is instead pushed into executing a malicious curl command, again using a trusted AI page as the lure.
The value of this technique is not just that it delivers malware. It exploits a gap in how many organizations model web trust.
Many defensive layers still assume:
LLMShare breaks that model. The visible domain is legitimate. The content is attacker-controlled. The second-stage infrastructure can rotate quickly. That combination reduces the usefulness of simple reputation checks and moves the detection problem into user journey, page behavior, and browser interaction telemetry.
Push also frames LLMShare as part of a much broader 2026 pattern: attackers systematically weaponizing legitimate platforms for delivery, hosting, and impersonation. That makes this less of a one-off novelty and more of a repeatable operating model.
Security teams should distinguish between a trusted domain and trustworthy content. Shared pages, collaborative workspaces, CDN-hosted artifacts, and legitimate SaaS content layers can all become attacker-controlled surfaces.
If your detections still center on email, you are missing a large slice of user-driven compromise risk. Search-to-browser journeys now deserve the same attention as inbox-to-click journeys.
Push explicitly notes that short-lived indicators have limited value because adversaries can rotate pages and downstream infrastructure rapidly. That increases the importance of Threat Intelligence enriched with browser, referral, and redirect context.
The rendered ChatGPT page is operationally more dangerous than the earlier "copy this terminal command" social engineering because it removes a major visual red flag. Defenders should assume attackers will keep improving how native these fake in-product experiences look.
chatgpt.com and claude.ai pages followed by redirects to newly observed download domainsopenew[.]app where confirmed in your environmentLLMShare is useful because it shows how AI platform trust can be turned into attack infrastructure without any compromise of the platform itself. Attackers do not need to breach ChatGPT or Claude. They only need to abuse features those platforms intentionally provide.
That is the real security lesson. The attack surface now includes:
In practice, this pushes defenders toward browser-centric controls, better campaign correlation, and stronger skepticism about "safe" domains when the content layer is user-generated.
LLMShare is Push Security's name for a technique where attackers abuse shared content on AI chatbot platforms such as ChatGPT and Claude to deliver malware or malicious installation guidance.
No. The report describes abuse of legitimate sharing and rendering features, not a platform-side breach.
Because the initial landing page is hosted on a legitimate, trusted domain, which means reputation and simple URL inspection may incorrectly signal safety.
Do not treat trusted domains as proof that the page content is trustworthy. In this technique, the trust anchor is real but the content and follow-on workflow are malicious.
Because it looks like a native product notice rather than an obviously suspicious chat transcript telling the user to run commands manually.
Written by
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights in your inbox.
Threat Hunting & IntelOracle PeopleSoft alert follows breach claims at 100+ organizations Claims of mass compromise across Oracle PeopleSoft environments were already serious on June...
Threat Hunting & IntelGlassWorm takedown shows how developer malware becomes supply-chain risk Executive Summary The coordinated disruption of GlassWorm on May 26, 2026 is useful bec...
Threat Hunting & IntelAI-Assisted Search Poisoning Fuels ScreenConnect Cryptojacking Executive Summary Microsoft disclosed an active campaign on May 26, 2026 in which attackers push...