AI PLATFORM ABUSE

LLMShare malware: infostealer hiding behind real chatgpt.com share links

Attackers turn ChatGPT's share-link feature into a fake-outage trap that pushes cross-platform infostealer malware — and URL filters cannot block it without breaking ChatGPT itself.

SB

SafeBrowz Team Security ResearchJune 1, 20269 min read

The LLMShare campaign: anatomy in 60 seconds

Push Security disclosed the campaign on May 29, 2026 after observing it across multiple Google Search ad placements. BleepingComputer and The Hacker News picked it up the same week. The attack chain is short and almost entirely deceptive.

Step one, the attacker purchases Google Ads targeting high-intent queries: ChatGPT, ChatGPT login, ChatGPT outage, ChatGPT down, ChatGPT not working. Outage-related queries spike whenever OpenAI has any latency, and those spikes are exactly when the campaign harvests the most clicks. The ad text and visible URL look indistinguishable from a legitimate OpenAI listing.

Step two, the ad redirects to a legitimately-hosted chatgpt.com share URL. ChatGPT's share-link feature lets any user publish a conversation at a chatgpt.com/share/... URL. Attackers paid for a Plus account, generated a benign-looking conversation, and used HTML and Markdown elements rendered in the chat to construct a fake "service notice" complete with the OpenAI logo, sober dark UI, and a green "Download Desktop App" button.

Step three, the button does not go to openai.com. It goes to openew[.]app, a registrant-spoofing domain whose name visually approximates "OpenAI" if a user is moving fast. The landing page is styled to mirror an OpenAI marketing page and offers Windows .exe and macOS .dmg installers.

Step four, the installer is the LLMShare infostealer. Any.Run sandbox runs confirm credential theft from Chromium-based browsers and Firefox, wallet-extension data exfiltration, system fingerprinting, and a callback to a command-and-control endpoint that rotates every few hours.

Why URL-pattern detectors can't catch this

This is the part that breaks most anti-phishing tools and matters most for users. The phishing landing page is literally hosted on chatgpt.com. The URL bar reads chatgpt.com. The TLS certificate is OpenAI's. PhishTank, URLhaus, and Google Safe Browsing cannot block chatgpt.com without taking the entire ChatGPT service offline for hundreds of millions of legitimate users.

Push Security's writeup makes the same point bluntly: traditional URL filtering is structurally defeated by share features on trusted platforms. The attacker is not impersonating a brand on a lookalike domain. The attacker is using the brand's own infrastructure as a CDN for hostile content.

The only URL that can be blocked is the second-hop destination, openew[.]app. That domain will eventually land in threat feeds. But the window between campaign launch and feed propagation is where every successful infection happens. For days one through three, the only defense is content-aware analysis of the share page itself, which simple URL filters cannot perform.

The fake outage page: what victims see

The crafted share conversation is designed to look like an automated system notice that ChatGPT itself injected at the top of the chat window. The structure observed in the live samples:

• A dark gray banner with the OpenAI rosette logo on the left and a yellow warning triangle on the right.
• A headline reading "OpenAI Web Version Temporarily Unavailable" or "Service Notice: Web client offline for maintenance".
• A short paragraph blaming high load or scheduled maintenance and recommending users switch to the desktop application "to continue your conversation without interruption."
• A bright green or blue rectangular button labeled "Download Desktop App" or "Continue on Desktop".
• Fake social proof in the form of fabricated reply messages further down the conversation pretending to be other users thanking OpenAI for the workaround and confirming the installer is safe.

None of these elements are part of the real ChatGPT UI. ChatGPT does not display service notices inside shared conversations. ChatGPT does not recommend desktop installers via banners. ChatGPT does not embed download buttons in chat messages. Every visible element is content the attacker typed into a conversation they then shared.

openew[.]app: the payload domain

The landing domain openew[.]app was registered approximately seven days before the campaign went live, which is the standard age for ad-driven phishing infrastructure. The page mirrors OpenAI's actual marketing layout closely enough that a quick visual check passes, with a typeface match, similar gradients, and stolen product screenshots.

What gets delivered differs by operating system. On Windows, the .exe installer runs an Electron-style shell that displays a fake "configuring" progress bar while a packed payload writes to %APPDATA% and registers persistence via a Run key. On macOS, the .dmg ships an unsigned application that uses an AppleScript dropper to bypass Gatekeeper if the user right-clicks Open. Any.Run flagged the following infostealer behaviors across both platforms:

• Chromium cookie and login database exfiltration (Chrome, Edge, Brave, Arc).
• Firefox profile harvesting (logins.json, cookies.sqlite, key4.db).
• Wallet extension data theft targeting MetaMask, Phantom, Coinbase Wallet, and TrustWallet extension storage.
• SSH key and cloud CLI credential collection from ~/.ssh, ~/.aws, ~/.config/gcloud.
• Discord token theft and Telegram desktop session file copy.
• HTTPS POST callback to a C2 endpoint that rotates subdomain every 4 to 6 hours.

It is, in short, a complete cross-platform stealer with crypto wallet focus, not a novel piece of malware, but novel in its distribution channel.

The 30-second user check (any AI platform link)

This generalizes beyond ChatGPT. Use it on any link that arrives via an AI-platform share URL, Google Ad, or social-media post claiming an "official" client.

1. Confirm the download hostname matches the brand. Right-click the download button and copy the link. If you are downloading ChatGPT, the only legitimate hostnames are openai.com, chat.openai.com, persistent.oaistatic.com, or app.openai.com. Anything else, including openew.app, openai-app.com, openai-download.com, chatgpt-desktop.com, is hostile. Same rule for Claude (anthropic.com), Gemini (google.com or googleusercontent.com), and Perplexity (perplexity.ai).
2. Verify outages on the official status page. ChatGPT incidents publish at status.openai.com. Claude at status.anthropic.com. Gemini under status.cloud.google.com. Perplexity at status.perplexity.ai. If the share page claims an outage and the official status page shows green, the share is hostile.
3. Inspect the download dialog. Real OpenAI desktop installers are signed by "OpenAI, Inc." on macOS (verify under File, Get Info, Locked / Signature) and by "OpenAI" on Windows (right-click, Properties, Digital Signatures tab). Unsigned installers or installers signed by random developer IDs are hostile by default.
4. Never accept a desktop installer from inside a share link. Even legitimate platforms publish desktop apps on their main marketing site, app stores, or status pages. A shared conversation is never the canonical install path. If a chat asks you to download anything, treat it the way you would treat an email attachment promising a refund.
5. Type the domain yourself when in doubt. Close the share link. Open a new tab. Type openai.com. Click whatever the marketing site links to. That is the only safe install path.

Why this pattern is coming for Claude, Gemini, Perplexity next

Every major AI platform now ships a public share-link feature. Claude conversations can be shared at claude.ai/share. Gemini at g.co/gemini/share. Perplexity at perplexity.ai/search/{id}. ChatGPT at chatgpt.com/share. All four host user-controlled content under a trusted brand domain and TLS certificate. All four are therefore vulnerable to the LLMShare template.

SafeBrowz expects to see the same playbook replicated across these platforms within weeks of LLMShare's media coverage. The economics are identical: cheap ad spend, free hosting on a trusted domain, predictable conversion rate against users searching for outages. Defenders should assume that "the AI platform share-link page is hostile until proven otherwise" is a baseline rule from this campaign forward.

There is also a worse variant on the horizon. Right now LLMShare uses static text inside a shared conversation. A future iteration could use AI-generated dynamic content via shared "custom GPTs" or shared Gems that adapt the pitch to whatever the visitor's user-agent and referer headers suggest. Defending against that requires content-aware analysis, not URL pattern matching.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. Each layer plays a different role in stopping LLMShare and its imitators.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand signatures (including AI-platform brands: OpenAI, ChatGPT, Anthropic, Claude, Gemini, Perplexity, plus their official download hostnames) + community whitelist/blacklist, all running directly in the extension before the page renders. openew.app is the kind of lookalike that Layer 1 picks up the moment it appears in our brand-impersonation database, since openai is in the protected-brand list and openew is one Levenshtein edit away.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam-TLD signals. As LLMShare's openew.app and successor domains get reported, Layer 2 catches them across all SafeBrowz installs within minutes of each feed update.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis. This is the layer that matters most here. Layer 3 reads the rendered page content even on a legitimate chatgpt.com share URL, recognizes the "service outage + urgent download to non-OpenAI hostname" social-engineering pattern, and warns the user before they click. It works on day zero against a campaign that has never been seen before, in any of 100+ languages, because it judges intent and brand mismatch, not URL strings.

SafeBrowz insight: Our brand database tracks official download hostnames for each major AI platform, so the Layer 3 AI scan can flag mismatches between a page's claimed brand and the actual destination of any download button on it, even when the page itself is hosted on the real brand domain. This is the specific capability that defeats the LLMShare class of attack.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Page contents are processed for the verdict and anonymously retained for detection-engine training; no per-user URL history is stored.

Frequently asked questions

Is ChatGPT itself compromised?

No. The chatgpt.com domain, OpenAI's servers, and the ChatGPT model are not compromised. Attackers are using a legitimate feature, share links, to publish hostile content as if it were a normal conversation. The infrastructure is fine; the content inside the shared conversation is what is hostile.

Should I stop using ChatGPT share links altogether?

No. Share links sent by people you know, for conversations you expected, are still fine. The risk is opening a share URL you arrived at from a search result, a Google Ad, an unsolicited DM, or a social post claiming an outage. Those are the high-risk paths the LLMShare campaign exploits.

What if I already downloaded the openew.app installer but did not run it?

Delete the installer file from your Downloads folder. Empty the recycle bin or trash. On macOS, run a quick scan with Malwarebytes or your existing security tool. On Windows, run a Microsoft Defender full scan. If you did not double-click the installer, nothing executed and you are safe.

What if I ran the installer?

Assume credentials and wallet extension data on that machine are compromised. Sign out of every browser session via your account dashboards. Rotate passwords starting with email, then banking, then crypto exchanges. If you have a hardware wallet, move funds from any hot wallet extension (MetaMask, Phantom, Coinbase Wallet, TrustWallet) on that machine to a fresh seed phrase generated on the hardware wallet itself. Run a full antivirus scan, then strongly consider a clean OS reinstall for high-value accounts.

Will Google take down the malicious ads?

Yes, eventually. Push Security reports that several of the LLMShare ad accounts were removed within 48 hours of disclosure. Attackers rotate ad accounts quickly, however, and the campaign will likely continue under new accounts and slightly varied keywords. Treat any ad result for an AI platform as untrusted; click the organic result below the ads instead.

Does Safe Browsing block openew.app?

It does once the domain is reported. Initial campaign domains typically take 24 to 72 hours to land in Google Safe Browsing, PhishTank, and URLhaus feeds. SafeBrowz Layer 2 picks them up from those feeds. SafeBrowz Layer 3 (Premium AI) catches the underlying content pattern from day zero, regardless of whether the specific domain is in any blocklist.

Why can't browsers warn on the chatgpt.com share page itself?

Because the page is hosted on a verified, trusted domain with a valid TLS certificate. Chrome, Safari, and Firefox cannot warn on chatgpt.com without warning on every legitimate ChatGPT user. Defense at this layer requires content-aware judgment running locally in an extension or AI scanner, which is what SafeBrowz Layer 3 does.

Are Claude, Gemini, and Perplexity share links also dangerous?

They are not currently being abused by a named campaign, but the technical surface is identical. SafeBrowz expects copycat campaigns within weeks. The same 30-second user check applies: confirm any download button on a shared AI conversation points to the platform's official hostname, and verify outages on the platform's official status page before believing an "urgent download" banner inside a chat.

Article published June 1, 2026. Last updated June 1, 2026.