ChatGPT Malware: How Fake Outage Pages Exploit Share Links
chatgptpush securityllmshareopenaiodyssey stealermalwarecybersecurityphishinginfostealerai securitytrust exploitationdesktop app

ChatGPT Malware: How Fake Outage Pages Exploit Share Links

By Daniel MarshMay 30, 2026

Here's the thing about trust: it's hard to earn and easy to exploit. We've seen it time and again in cybersecurity, but the latest campaign, dubbed LLMShare by Push Security, takes this to a new level by weaponizing the very platforms designed to help us. This sophisticated attack delivers ChatGPT malware by exploiting legitimate sharing features. If you've been searching for a ChatGPT desktop app, you might have already seen this.

The problem isn't just that attackers are using AI; it's that they're using AI's legitimate features to host their attacks on domains we inherently trust. This isn't some exotic new technique; it's a clever twist on an old phishing lure, made more effective by the perceived legitimacy of the chatgpt.com domain itself.

The Incident: Fake Outage, Real Malware

As of late May 2026, Push Security researchers have identified a campaign where threat actors are abusing ChatGPT's content-sharing feature to host fake OpenAI outage pages. These aren't just static HTML files on some shady domain; they're rendered directly within a shared ChatGPT conversation link, like chatgpt.com/s/[unique-id].

Think about that for a second. You click a link, and it takes you to chatgpt.com. Your browser's green padlock is there. Everything looks legitimate. But what you see is a message claiming, "We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue."

This fake outage page then directs you to download a "desktop app" from an external domain, openew[.]app, which impersonates OpenAI's official download portal. This is where the malware comes in.

Laptop screen showing fake OpenAI outage page on chatgpt.com, leading to ChatGPT malware download.
Laptop screen showing fake OpenAI outage page

The Mechanism: A Chain of Trust Exploitation

The attack chain for LLMShare is a masterclass in social engineering layered on technical cleverness:

  1. Initial Lure: It starts with Google ads. Attackers buy sponsored search results for terms like "ChatGPT," "ChatGPT desktop app," or "ChatGPT download." When you search for these, the malicious ad pops up, looking like an official link.
  2. Legitimate Domain, Malicious Content: Clicking the ad takes you to a legitimate chatgpt.com/s/ share link. This is key. Because the content is hosted on OpenAI's domain, it bypasses many web filters and firewalls that would flag external malicious sites.
  3. AI-Rendered Deception: The fake outage notice isn't a static image. It's custom HTML and CSS, rendered by a ChatGPT prompt, then published via the share link. This means the content is dynamic and appears to be part of the trusted chatgpt.com environment. You might even see "Show code" or "Remix with ChatGPT" controls, adding to the illusion.
  4. Malware Delivery: The fake outage page prompts you to download a "desktop app" from openew[.]app. This external domain is designed to look like an official OpenAI download site.
  5. Evasion Tactics: The openew[.]app domain uses cloaking. If a security scanner like URLScan tries to check it, it sees a harmless AR/VR company website. Only targeted victims see the malicious download. On top of that, the Windows malware payload checks if it's running in a virtual machine or a legitimate computer, looking for security software registry keys to avoid analysis.
  6. Payload: For macOS users, the observed payload is Odyssey Stealer, an infostealer. For Windows, it's also an infostealer, though the specific name wasn't provided in the research. These types of malware are designed to steal credentials, financial data, and other sensitive information.

About a bad link is about a legitimate platform feature being repurposed. We've seen similar abuses with Claude Artifacts and shared Grok conversations, where malicious installation instructions or ClickFix-style lures were embedded. This highlights the broader issue of LLM platforms being used to deliver malware.

The Impact: Who's at Risk?

Anyone searching for a ChatGPT desktop application is a potential target, regardless of their operating system. Both macOS and Windows devices are in scope. The practical impact is clear: if you fall for this, you're likely getting an infostealer on your machine. That means compromised accounts, potential financial loss, and a significant cleanup effort.

What's particularly frustrating is the psychological angle. Users are increasingly skeptical of AI-generated content and links, and for good reason. Social discussions on platforms like Reddit and Hacker News show a clear awareness of AI's potential for misuse, with people often advising against trusting AI-generated links or code without independent verification. Yet, this campaign use the domain trust to bypass that skepticism. You might be wary of a random link, but chatgpt.com feels different. That's the whole problem.

Stylized digital lock with broken keyhole, representing compromised security from ChatGPT malware.
Stylized digital lock with broken keyhole, representing compromised

The Response: What Needs to Change

OpenAI, Anthropic, and other LLM providers need to address how their sharing features can be abused. While the ability to share conversations is useful, the capacity to render arbitrary HTML/CSS directly on a trusted domain creates a significant attack surface.

Here's what I think needs to happen:

  • Content Sanitization: LLM platforms must implement stricter sanitization for shared content, especially anything that can render custom HTML or CSS. If a shared link can display a full-screen overlay that looks like a system message, that's a design flaw.
  • Domain Trust Reinforcement: OpenAI and others should consider visual cues or disclaimers on shared links that clearly differentiate user-generated content from official system messages or download prompts. Make it impossible for a shared conversation to perfectly mimic an official site outage.
  • User Education: This is always part of the solution, but it's especially critical here. Users need to understand that even if the domain looks legitimate, the content within a shared link might not be. Always download software directly from the vendor's official website, typed into your browser, not from a link in an ad or a shared conversation to avoid ChatGPT malware.
  • Ad Platform Accountability: Google, and other ad platforms, need to improve their vetting processes for sponsored search results. Malicious ads leading to these types of campaigns are a recurring problem.

This LLMShare campaign shows that attackers are constantly adapting. They're not just using AI to create phishing emails; they're using AI platforms themselves as the delivery mechanism for malware. We can't just focus on the output of AI; we have to secure the platforms and their features, too.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.