Malvertisers Use ChatGPT Share Links to Deliver Malware
Security researchers documented a malvertising campaign, dubbed "LLMShare" by Push Security, that abuses AI chat platforms' share features to deliver malware from trusted domains. Push Security disclosed on May 29, 2026 that attackers host fake outage and download pages inside legitimate chatgpt.com/s/[id] share links and buy Google search ads for terms like "ChatGPT download" to drive victims there, as confirmed by BleepingComputer. Because the malicious page sits on OpenAI's own domain, it evades web filters and URL-reputation checks. Researchers report the technique was also ported to Claude share links posing as "Apple Support" macOS install guides that run malicious terminal commands, and that downloads target both Windows and macOS. Reporting notes the method echoes late-2025 incidents that abused ChatGPT and Grok shared chats to deliver infostealers, indicating a repeatable, cross-platform social-engineering technique.
What happened
Security researchers documented a malvertising campaign, named "LLMShare" by Push Security, that weaponizes AI chat platforms' sharing features to deliver malware from trusted domains. Push Security disclosed the campaign on May 29, 2026, and BleepingComputer confirmed attackers host a fake high-traffic or outage page inside a legitimate chatgpt.com/s/[unique-id] share link, then buy sponsored Google search ads for terms such as "ChatGPT," "ChatGPT desktop app," and "ChatGPT download" to funnel victims to it. Researchers report a parallel variant abused Claude share links, disguising malicious macOS install instructions as "Apple Support" guidance.
Technical details
Because the malicious content is rendered on the platform's own domain, URL-reputation signals and corporate web filters that key on destination domain are bypassed. Reporting notes the share pages render attacker-supplied HTML and CSS to build a pixel-perfect fake outage notice with a download button, and that the campaign serves benign content to automated analysis tools while showing real browsers the lure. The offered downloads install infostealer malware on both Windows and macOS; the Cloud Security Alliance reports the Claude-share variant delivered an in-memory, per-request-polymorphic shell script designed to evade hash-based detection.
Industry context
Editorial analysis
this fits a recurring pattern in which attackers weaponize platform-level trust and user-facing features rather than software vulnerabilities. The Cloud Security Alliance notes the technique echoes late-2025 incidents that used shared ChatGPT and Grok conversations to deliver the Atomic macOS Stealer, indicating a repeatable method ported across platforms. Defenders that rely mainly on destination-domain reputation will miss campaigns hosted on legitimate service domains.
What to watch
- •Expansion to other AI platforms' share features (the Cloud Security Alliance already documents ChatGPT, Claude, and Grok variants).
- •Spikes in sponsored search placements for popular AI-tool keywords.
- •Endpoint telemetry for in-memory script execution and exfiltration rather than static file hashes.
- •Vendor response: as reported, neither OpenAI nor Anthropic had issued public mitigations as of early June 2026; watch for changes to share-link rendering.
Key Points
- 1Push Security's "LLMShare" campaign hides fake ChatGPT outage and download pages inside legitimate chatgpt.com/s/ share links, bypassing filters that trust the OpenAI domain (BleepingComputer).
- 2Sponsored Google ads for "ChatGPT download" drive victims to Windows and macOS infostealers; a Claude variant posed as "Apple Support" macOS install guides.
- 3Domain-reputation defenses fail here; SOC teams need telemetry for in-memory, polymorphic execution and exfiltration, not static hashes.
Scoring Rationale
The campaign escalates malvertising by hosting weaponized pages on trusted AI-platform domains and using polymorphic in-memory payloads, which materially raises detection and response complexity for defenders. Multiple vendors and research groups independently reported the technique, making it broadly relevant to security and incident-response teams.
Sources
Public references used for this report.
Practice with real Ad Tech data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Ad Tech problems