INVADERS
Threat Hunting & Intel

LLMShare Turns Trusted AI Domains Into Malware Delivery Infrastructure

Lucas OliveiraLucas OliveiraResearch
June 3, 2026·7 min read

Summarize with:

ChatGPTClaudePerplexityGoogle AI
LLMShare Turns Trusted AI Domains Into Malware Delivery Infrastructure

Executive Summary

Push Security disclosed a live campaign it tracks as LLMShare, where attackers abuse shared content features on ChatGPT and Claude to stage malware delivery on domains users and security tools already trust. The campaign begins with malvertising and SEO poisoning, pushes victims onto chatgpt.com or claude.ai shared pages, and then redirects them toward a malicious payload path that looks legitimate at every step.

The important shift is structural. Traditional controls such as domain reputation, basic URL Filtering, and casual user URL checks are less effective when the first-stage landing page is genuinely hosted on a trusted AI platform. For defenders, this is another reminder that modern phishing campaigns increasingly abuse legitimate platforms instead of disposable attacker-owned infrastructure.

What happened?

According to Push Security's May 29, 2026 report, attackers are using search-engine ads and poisoned search results to capture users looking for ChatGPT-related downloads, free access, or common misspellings. Push says it observed searches such as chatgpt, chatgpt free, chat gpt, chatgo, chatgot, and cvhatgpt leading to shared AI content pages.

The campaign uses two related variants:

  • a ChatGPT variant that abuses ChatGPT's code rendering feature to display a fake service disruption page hosted under a chatgpt.com/s/ shared URL
  • a Claude variant that uses a shared claude.ai conversation disguised as installation guidance, including a malicious curl command

Push characterizes the technique as part of the broader ClickFix family, specifically an InstallFix style of attack where victims are guided into downloading or executing attacker-controlled content under the pretense of solving a normal software problem.

Attack chain

1. Search traffic is captured

The first stage is not email. Push says search remains a dominant malware delivery channel and that, in its own data, ClickFix attacks are reached through search results rather than email in 4 out of 5 cases.

2. Victims land on trusted AI domains

Instead of sending victims directly to an obviously suspicious domain, the campaign routes them to pages hosted on chatgpt.com or claude.ai. This is the core evasion advantage: the landing URL inherits the trust of a legitimate platform.

3. The page looks native enough to pass casual inspection

In the ChatGPT variant, the attacker used rendered HTML and CSS inside a shared ChatGPT page to mimic a genuine "high traffic" or service disruption notice. The page tells the user to download the desktop app to continue.

This makes the attack more dangerous than a simple fake chat transcript. The user is no longer reading obviously odd Social Engineering instructions to paste terminal commands. They are interacting with what appears to be a normal product message inside a real ChatGPT page.

4. The victim is redirected to fake download infrastructure

Clicking the download button leads to openew[.]app, which Push says impersonates the real ChatGPT download page with OpenAI branding, platform-specific download buttons, and a convincing layout.

5. Security tooling is selectively deceived

Push reports that the infrastructure used conditional rendering. Real browser users saw the fake ChatGPT download flow, while URLScan was shown a benign AR/VR company site. That kind of split behavior complicates static scanning and weakens IOC-only workflows.

6. Malware is delivered

The downloaded executable posed as "ChatGPT for Desktop" and was flagged on VirusTotal, according to Push. In the Claude variant, the user is instead pushed into executing a malicious curl command, again using a trusted AI page as the lure.

Why this matters

The value of this technique is not just that it delivers malware. It exploits a gap in how many organizations model web trust.

Many defensive layers still assume:

  • trusted domain means lower risk
  • user verification of the visible URL is meaningful
  • malicious hosting will usually sit on attacker-controlled infrastructure

LLMShare breaks that model. The visible domain is legitimate. The content is attacker-controlled. The second-stage infrastructure can rotate quickly. That combination reduces the usefulness of simple reputation checks and moves the detection problem into user journey, page behavior, and browser interaction telemetry.

Push also frames LLMShare as part of a much broader 2026 pattern: attackers systematically weaponizing legitimate platforms for delivery, hosting, and impersonation. That makes this less of a one-off novelty and more of a repeatable operating model.

Defender takeaways

Treat trusted platforms as potentially hostile content containers

Security teams should distinguish between a trusted domain and trustworthy content. Shared pages, collaborative workspaces, CDN-hosted artifacts, and legitimate SaaS content layers can all become attacker-controlled surfaces.

Prioritize search-driven attack paths

If your detections still center on email, you are missing a large slice of user-driven compromise risk. Search-to-browser journeys now deserve the same attention as inbox-to-click journeys.

Hunt for platform-abuse patterns, not just IOCs

Push explicitly notes that short-lived indicators have limited value because adversaries can rotate pages and downstream infrastructure rapidly. That increases the importance of Threat Intelligence enriched with browser, referral, and redirect context.

Expect better impersonation inside real products

The rendered ChatGPT page is operationally more dangerous than the earlier "copy this terminal command" social engineering because it removes a major visual red flag. Defenders should assume attackers will keep improving how native these fake in-product experiences look.

Immediate actions for defenders

🔴 Immediate actions (0-24h)

  • review web proxy, DNS, and browser telemetry for visits to shared chatgpt.com and claude.ai pages followed by redirects to newly observed download domains
  • hunt for users who searched for AI tool downloads and then executed unsigned or newly downloaded binaries
  • block known malicious destinations such as openew[.]app where confirmed in your environment
  • warn help desk and user-support teams that "ChatGPT desktop app" and "Claude install guide" lures are actively in use
  • review detections for browser-initiated download chains rather than relying only on email-originated alerts

🟠 Near-term hardening (24-72h)

  • expand detections to correlate search queries, landing pages, redirects, and executable downloads in one sequence
  • add extra scrutiny for shared-content URLs on trusted AI and collaboration platforms
  • tune policy around unsanctioned AI tool downloads and installation guidance
  • validate whether existing safe browsing or proxy controls inspect rendered content behavior rather than only domain reputation

🟡 Longer-term controls (1-4 weeks)

  • build detections around platform abuse as a class, not only around single campaigns
  • include search malvertising and trusted-domain abuse in awareness training and tabletop exercises
  • feed browser-layer telemetry into detection engineering where possible
  • revisit assumptions in web security architecture that treat platform reputation as a strong standalone signal

Strategic analysis

LLMShare is useful because it shows how AI platform trust can be turned into attack infrastructure without any compromise of the platform itself. Attackers do not need to breach ChatGPT or Claude. They only need to abuse features those platforms intentionally provide.

That is the real security lesson. The attack surface now includes:

  • what a platform hosts on behalf of users
  • how that hosted content is rendered
  • how users arrive there through search and ads
  • how easily the next step in the chain can be rotated or personalized

In practice, this pushes defenders toward browser-centric controls, better campaign correlation, and stronger skepticism about "safe" domains when the content layer is user-generated.

What is LLMShare?

LLMShare is Push Security's name for a technique where attackers abuse shared content on AI chatbot platforms such as ChatGPT and Claude to deliver malware or malicious installation guidance.

Is this a compromise of ChatGPT or Claude?

No. The report describes abuse of legitimate sharing and rendering features, not a platform-side breach.

Why do normal reputation checks struggle here?

Because the initial landing page is hosted on a legitimate, trusted domain, which means reputation and simple URL inspection may incorrectly signal safety.

What is the most important defender lesson?

Do not treat trusted domains as proof that the page content is trustworthy. In this technique, the trust anchor is real but the content and follow-on workflow are malicious.

Why is the ChatGPT rendered-page variant more dangerous?

Because it looks like a native product notice rather than an obviously suspicious chat transcript telling the user to run commands manually.

References

  1. LLMShare: how attackers are turning AI chatbot pages into malware delivery platforms
  2. Fake ChatGPT and Claude pages used to spread malware via malvertising
  3. Attackers abuse ChatGPT to distribute malware disguised as popular utilities
Tags:
Incident
Artificial Intelligence
Browser Security
ClickFix
Credential Theft
L

Written by

Lucas Oliveira

Research

A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.

You Might Also Like

More in Threat Hunting & Intel
GlassWorm takedown shows how developer malware becomes supply-chain riskThreat Hunting & Intel

GlassWorm takedown shows how developer malware becomes supply-chain risk

GlassWorm takedown shows how developer malware becomes supply-chain risk Executive Summary The coordinated disruption of GlassWorm on May 26, 2026 is useful bec...

Lucas OliveiraMay 306m
AI-Assisted Search Poisoning Fuels ScreenConnect CryptojackingThreat Hunting & Intel

AI-Assisted Search Poisoning Fuels ScreenConnect Cryptojacking

AI-Assisted Search Poisoning Fuels ScreenConnect Cryptojacking Executive Summary Microsoft disclosed an active campaign on May 26, 2026 in which attackers push...

Lucas OliveiraMay 287m
Kazuar’s redesign turns a familiar backdoor into a harder-to-hunt botnetThreat Hunting & Intel

Kazuar’s redesign turns a familiar backdoor into a harder-to-hunt botnet

Kazuar’s redesign turns a familiar backdoor into a harder-to-hunt botnet Microsoft’s latest research on Kazuar matters because it reframes the malware from a we...

Lucas OliveiraMay 175m