LLMShare: using shared chatbot pages to distribute malware

Blog /Browser-based attacks<br>LLMShare: how attackers are turning AI chatbot pages into malware delivery platforms<br>Browser-based attacksDetection & response<br>Keanu Maharaj

·May 29, 2026<br>·9 min read

Dark mode Share this post

Attackers are abusing the shared content features of AI chatbot platforms — ChatGPT and Claude — to deliver malware through pages hosted on legitimate, trusted domains, distributing the malicious links via sponsored malvertising ads on search engines.

Shared conversations on AI chatbot platforms have become the latest delivery mechanism for malware campaigns targeting macOS and Windows users. Attackers create content on platforms like ChatGPT and Claude that appears to offer installation guidance or service updates, then drive traffic to it via search engine results in the form of malvertising and SEO poisoning.<br>The content lives on chatgpt.com or claude.ai — domains that users and security tools trust implicitly — so the attack bypasses URL reputation checks before the victim even reaches the malicious payload.<br>Several variants of this technique have been reported over the past few months. The earliest examples used shared Claude.ai conversations disguised as installation guides — complete with fake "Apple Support" attribution — that walked users through opening a terminal and pasting a curl command that downloaded and executed an infostealer. Kaspersky documented a parallel campaign using shared ChatGPT conversations to deliver the AMOS (Atomic macOS Stealer) via the same paste-this-command social engineering pattern.<br>Push has detected a new variant that goes beyond the previously reported technique of embedding terminal commands in shared conversations: the attacker has used ChatGPT's code rendering feature to build a fully designed fake page that mimics a ChatGPT service disruption, redirecting victims to a convincing clone of ChatGPT's download page that delivers a malicious executable.

These are essentially InstallFix attacks — a variant of the ClickFix family that Push documented earlier this year — and they exploit the fact that AI tools have normalized command-line installation workflows for a population of users who lack the experience to distinguish a legitimate terminal command from a malicious one.

This is a live campaign which is still generating detections across our customer base at the time of writing. Push customers are already protected and do not need to take further action. The malicious page URLs can be found at the end of this report but are not exhaustive and are liable to change.<br>A fake page, not a fake conversation<br>Previously reported variants relied on shared conversations — the attacker created a chat that contained step-by-step instructions for the victim to follow, typically involving pasting a command into their terminal. The social engineering was conversational: the "AI assistant" appeared to be helpfully guiding the user through an installation process.<br>But now, rather than a shared conversation, the attacker has used ChatGPT's code rendering feature to create a fully designed, self-contained web page hosted at a chatgpt.com/s/ URL. It renders as what appears to be a ChatGPT service disruption notice:<br>The fake "high traffic" page rendered inside a ChatGPT shared content URL. Note the "Show code" and "Remix with ChatGPT" buttons at the top, which reveal that this is actually rendered HTML/CSS code rather than a real ChatGPT system page.<br>A professional-looking error message reads: "We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue." A prominent download button sits below.<br>The "Show code" toggle at the top of the page reveals what's actually happening — the entire thing is custom HTML and CSS, authored to mimic a ChatGPT system notice, rendered using ChatGPT's code output feature. A web page inside a web page, hosted on a domain that every URL reputation system in the world considers safe.<br>The same page with the code panel open, showing the HTML/CSS source code that generates the fake service disruption notice.<br>The download page<br>Clicking the download button redirects the user to openew[.]app, which presents a convincing clone of ChatGPT's official desktop application download page — complete with OpenAI branding, macOS and Windows download buttons, a Chrome extension link, and a mobile download section.<br>The fake ChatGPT download page hosted at openew[.]app. The design closely replicates OpenAI's legitimate download page.<br>Real ChatGPT download page for comparison chatgpt.com/download.<br>The site also displays differently depending on who visits it. When Push researchers examined the URL via URLScan, the scanner was redirected to a different page entirely — a generic AR/VR company website with no obvious connection to ChatGPT.<br>Real users in a browser see the fake download page; automated scanners and...