Attackers are abusing ChatGPT’s content-sharing feature to display fake OpenAI outage pages, tricking users into installing malware disguised as ChatGPT for Desktop.

Researchers from Push Security said that the campaign, which they dubbed "LLMShare," was still generating detections across its customer base at the time of the report’s release on Friday.

While previous versions of this attack relied on fake ChatGPT conversations to convince users to install malware, threat actors are now using fake OpenAI outage pages hosted on ChatGPT's own domain.

How the attack works

Cybercriminals are abusing ChatGPT's code rendering feature to create a convincing web page displaying a fake service disruption notice: "We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue."

Push researchers discovered that the page includes "Show code" and "Remix with ChatGPT" controls, indicating that the outage notice is not an official OpenAI message but is generated from custom HTML and CSS rendered by a ChatGPT prompt.

The download button below the message leads to openew[.]app – a clone of ChatGPT's official desktop application download page. This one can look pretty convincing again, as it has OpenAI branding, macOS and Windows download buttons, and a Chrome extension link.

Interestingly, the site is not static. The researchers discovered that it uses cloaking to display differently depending on the visitor: to real users, it appears as a fake download page, while bots and scanners see an entirely different page, typically something benign. This technique aims to make it harder for security teams to spot malicious infrastructure.

Pete Luban, Field CISO at AttackIQ, says that this campaign relies on user trust.

“The key to this campaign is the reliance on user trust. A fake outage page sitting inside a real ChatGPT share link feels much more believable than a random phishing site, which lowers suspicion quickly. The user sees a trusted domain, a familiar product, and a plausible reason to download something.”

“The real danger is what happens after the click. An unprepared organization may treat this like a simple user mistake, but attackers are really testing whether one trusted-looking path can reach something valuable. If that download leads to stolen credentials or remote access, the issue is no longer the fake page. It’s the open route behind it,” says Luban.

The attacks aren't limited to ChatGPT

Push researchers also spotted similar attacks on Claude, where threat actors used a shared chat disguised as a "Claude Code on Mac" installation guide, attributed to "Apple Support,” to lure users into downloading malware.

They suggest that the presence of close variants of this attack in Push customer environments means that hackers are experimenting with multiple AI platforms and social engineering approaches to see what lands.

In December 2025, security researchers found that crooks bought sponsored Google search results that led to manipulated ChatGPT or Grok answers for users trying to clean their Macs. Following the instructions would install Atomic macOS Stealer (AMOS), a powerful infostealer.

Researchers say that traditional trust signals are becoming less reliable – the rendered-page variant of ChatGPT has no indicators of an attack, looking simply like a routine service disruption message.

They add that security tools are designed to flag suspicious websites – but they can skip past malicious content if it’s hosted on a trusted domain.

This suggests that security teams should start looking beyond traditional attack vectors. Instead, Luban recommends that organizations focus on identifying realistic attack chains.

“Security teams need to think less in terms of one-off alerts and more in terms of the paths attackers can build from them. The goal is to prove which defenses stop those paths before a real campaign finds out for them.”

---

Unlock more exclusive Cybernews content on YouTube.