ProBackend
ai platform abuse social engineering
2 hours ago8 min read

The ChatGPT Outage Scam That Actually Lives Inside ChatGPT

Malicious actors exploit ChatGPT's content-sharing feature to host fake OpenAI outage pages, tricking users into downloading malware disguised as the ChatGPT desktop app in a campaign dubbed LLMShare.

The Scam That Lives Inside ChatGPT

Here's the thing about social engineering that most people miss: the best attacks don't try to trick you into visiting a sketchy website. They hijack something you already trust.

That's exactly what the "LLMShare" campaign does. Instead of sending victims to a domain that looks like openai[.]com but isn't, attackers are publishing fake outage pages through ChatGPT's own sharing infrastructure. The URL in your browser bar is chatgpt.com/s/... — legitimate, verified, and completely weaponized.

Push Security discovered the campaign this month, and it's a textbook example of how AI platform features that were designed for convenience are now being turned into attack vectors. The whole thing unfolds in about thirty seconds, and by the time you realize something's off, you've already clicked download.

How the LLMShare Attack Unfolds

The attack chain starts with a Google ad. Not some shady pop-up or forum link — an actual sponsored search result that appears when you're looking for ChatGPT. That's the first red flag most people ignore, because it is a Google ad, and Google ads feel safe.

Click the ad. You land on chatgpt.com/s/.... Your brain goes, "Okay, this is the real thing." And technically, it is. The page renders inside OpenAI's domain, served from their infrastructure.

But instead of a chat interface, you see this:

"We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue."

It's an outage notice. Plausible, right? ChatGPT goes down all the time. Everyone who's used it has seen that message at some point.

Except this one isn't real. And the page gives it away if you look closely — there are "Show code" and "Remix with ChatGPT" controls visible on the rendered page. That's not something OpenAI puts on their official outage notices. It's a dead giveaway that this is user-generated HTML being rendered through ChatGPT's prompt system.

But most people don't look for that. They see "outage," they want to keep using ChatGPT, and they click the download button.

The Download Trap

Clicking that button doesn't take you to chat.openai.com/download or wherever the real desktop app lives. You get redirected to openew[.]app — a domain that has nothing to do with OpenAI.

Here's where it gets clever: the site uses cloaking. When security scanning tools like URLScan visit openew[.]app, they see a harmless AR/VR company website. But when an actual human who clicked through from the ChatGPT share link lands there, they see a convincing replica of OpenAI's desktop download portal.

The site offers both Windows and macOS installers. Both are malware. BleepingComputer tested the Windows version in an Any.Run sandbox and confirmed it runs commands to detect whether the system is a real machine or a virtualized analysis environment — classic malware evasion technique. If it detects a sandbox, it likely sits idle. If it detects your actual laptop, it deploys whatever payload the operators have ready.

The exact payload hasn't been fully confirmed yet, but Push Security notes that earlier campaigns abusing AI platform sharing features have distributed infostealers — the kind of malware that quietly harvests browser credentials, session cookies, and anything else sitting in your clipboard.

Why This Works So Well

Let me be blunt: this is elegant attack design, and that should worry us more than it probably does.

Traditional phishing relies on deception at the URL level. You get an email that looks like it's from your bank, but the link goes to paypa1-secure-login.com. Security-aware users spot that immediately. Even basic URL inspection catches it.

LLMShare bypasses that entirely. The URL is chatgpt.com/s/.... There's nothing to inspect. No suspicious TLD, no misspelled domain, no red flags at the browser level.

The trust transfer is complete. You trust ChatGPT. Therefore, anything that lives on chatgpt.com is safe. That's the assumption this attack exploits, and it's a reasonable one — until someone proves it wrong.

The campaign also benefits from what I'd call "platform legitimacy laundering." By rendering the attack content through ChatGPT's own HTML/CSS rendering engine, the fake outage page inherits all the visual credibility of the real platform. It looks like ChatGPT because it is being rendered by ChatGPT.

The Broader Pattern: AI Features as Attack Surfaces

LLMShare isn't an isolated incident. It's part of a growing pattern where AI platform features — designed for sharing, collaboration, and convenience — are being systematically abused.

Push Security also observed attacks abusing Claude Artifacts, Anthropic's feature for sharing rendered applications and content. Those campaigns hosted ClickFix-style lures that tricked users into executing malicious terminal commands. Same pattern: legitimate platform feature, weaponized for social engineering.

Earlier this year, threat actors used Google ads to direct users searching for Claude downloads into shared Claude conversations containing malicious installation instructions. Other campaigns abused shared ChatGPT and Grok conversations to run ClickFix attacks — impersonating software installation guides that told victims to paste commands into their terminal.

The pattern is clear:

  • Shared conversations become delivery vehicles for malicious instructions
  • Rendering features (Artifacts, ChatGPT HTML output) become hosts for fake UIs
  • Platform domains provide the trust layer that traditional phishing can't match
  • Google ads provide the distribution channel that makes these campaigns scalable

Each AI platform adds new sharing and rendering capabilities. Each one gets abused within weeks of launch.

What Makes ClickFix Different From Classic Phishing

If you're not familiar with ClickFix, it's worth understanding why it represents an escalation.

Classic phishing tries to get you to enter credentials on a fake page. ClickFix goes further: it tricks you into executing commands directly on your machine. The attack impersonates a software installation guide — "To install the update, open Terminal and paste this command" — and you do exactly that. You hand the attacker execution privileges on your own system.

The ChatGPT and Claude campaigns that Push Security documented use this exact technique. The shared conversation is the installation guide, written to look like official documentation. You follow the steps, you run the commands, your machine is compromised.

LLMShare takes a slightly different approach — it goes for the download instead of the command execution. But the underlying principle is identical: exploit trust in an AI platform to bypass user skepticism at every layer.

ClickFix has also been weaponized through other vectors beyond AI platforms. A massive campaign exploiting a patched SQLi flaw in Ghost CMS (CVE-2026-26980) turned over 700 compromised blogs into ClickFix delivery points, tricking visitors into running malicious terminal commands via fake Cloudflare verification prompts. The same social engineering principle applies: exploit trust in a familiar interface to bypass user skepticism.

How to Spot These Attacks

This is the part where I have to be honest with you: these attacks are getting harder to spot, and that's the problem.

That said, there are still signals:

The URL is too clean. If you're searching for ChatGPT and end up on a chatgpt.com/s/... link that wasn't from your own session, something's off. You didn't generate a share link. Nobody you know sent it to you. Why are you here?

Outage pages shouldn't have "Remix" buttons. Official OpenAI outage notices don't include ChatGPT's interactive controls. If you see "Show code" or "Remix with ChatGPT" on what's supposed to be an outage notice, that's the platform rendering user content — not OpenAI communicating with you.

Download links should be verified independently. Don't click a download button presented inside a shared conversation or rendered page. Navigate to chat.openai.com directly and check if there's actually an outage. Check OpenAI's official status page. If the "outage" exists nowhere else, it doesn't exist.

Google ads aren't gospel. Just because something is labeled "Sponsored" doesn't mean it's OpenAI. Attackers buy Google ads just like everyone else, and the "Sponsored" label only means Microsoft paid for placement — not that the destination is legitimate.

What Platforms Need to Do

I'll say what I think: OpenAI, Anthropic, and the rest of the AI platform operators need to treat their sharing features as attack surfaces, not just UX features.

Right now, ChatGPT's share functionality is essentially a free hosting service for arbitrary HTML. That's powerful for users, sure — but it's also a free hosting service for attackers. The platform could implement basic checks: flag shared pages that contain download links to external domains, warn users when a rendered page includes executable content, or require authentication before displaying certain types of shared material.

None of this would break the feature for legitimate users. It would just make it slightly less convenient for attackers.

Google deserves criticism too. These campaigns run on Google Ads, and the ad review process clearly isn't catching domains that redirect to known-malicious infrastructure. There's a responsibility angle here that the search giant needs to own.

The Bottom Line

The LLMShare campaign is a wake-up call, but not the kind people usually think about.

We spend a lot of time worrying about AI safety in terms of model behavior — jailbreaks, hallucinations, alignment. But there's a whole class of risk that comes from the platform layer: the sharing features, the rendering engines, the distribution channels. These are the things that make AI platforms useful, and they're also the things that make them dangerous when weaponized.

The attackers aren't hacking ChatGPT. They're using it exactly as designed — just in a way OpenAI never intended.

And that's the gap we need to close. Because as long as chatgpt.com/s/... means "safe" in a user's mind, someone will keep turning that assumption against them.

This article covers the LLMShare campaign as reported by Push Security and covered by BleepingComputer. The malware samples referenced have been analyzed in sandboxed environments; do not download or execute any files from unverified sources.

The Scam That Lives Inside ChatGPT

More engineering analysis and backend guidance from ProBackend.
More blogs