Hackers Abuse OpenAI’s Official Domain in Novel “LLMShare” Phishing Campaign
Security firm Push Security has exposed a new attack vector dubbed “LLMShare,” where threat actors exploit ChatGPT’s native sharing features to host phishing pages directly on OpenAI’s official domain. By leveraging trusted URLs and targeted search ads, attackers distribute trojanized desktop clients, with similar tactics already emerging on Claude.
A New Attack Vector: LLMShare
As large language models become deeply integrated into daily workflows, threat actors are continuously evolving their tactics to exploit platform trust. Cybersecurity firm Push Security has recently published a report detailing a novel campaign dubbed “LLMShare,” which abuses legitimate AI sharing mechanisms to deliver malware. Instead of relying on traditional spoofed domains, attackers are hosting malicious content directly on OpenAI’s official infrastructure, making detection significantly more difficult.
The Attack Chain: Trust as a Weapon
The campaign begins with attackers utilizing ChatGPT’s built-in HTML rendering capabilities to craft custom web pages. These pages are then published using the platform’s official “/s/” sharing links, granting them the credibility of an OpenAI domain. To drive traffic, threat actors purchase sponsored search ads on Google that point directly to these legitimate-looking shared links. Because the URLs originate from a trusted domain, both automated security filters and casual users are far less likely to flag them as suspicious.
Once a user clicks the ad, they are greeted with a highly convincing fake “service outage” notification. The page claims that high traffic has temporarily disrupted the web interface and prompts visitors to download a dedicated desktop application to continue using the service. Clicking the download button redirects users to a secondary malicious portal hosting trojanized installers for both Windows and macOS.
Advanced Evasion and Anti-Detection
The LLMShare campaign employs sophisticated cloaking techniques to evade security researchers and automated scanners. When accessed by known security analysis tools or crawlers, the malicious portal displays a completely benign landing page for a fictional virtual reality company. However, when accessed by a targeted victim, the site reveals the actual malware download links. Furthermore, the distributed payloads include environment-checking routines that detect virtual machines or sandboxed setups, halting execution if a research environment is identified.
Cross-Platform Expansion and Security Implications
Push Security notes that this is not an isolated incident targeting a single platform. Researchers have already observed identical attack templates being adapted for Anthropic’s Claude, indicating that threat actors are systematically testing this methodology across major AI providers. The campaign highlights a critical vulnerability in how AI platforms handle user-generated shared content: the inherent trust associated with official domains can be weaponized to bypass traditional security perimeters.
As AI platforms continue to roll out sharing and embedding features, developers must implement stricter content validation, monitor for abuse of sharing endpoints, and educate users about verifying download sources. Until platform-level safeguards catch up, users are advised to exercise extreme caution when prompted to download executables from AI-generated links, even if they appear to originate from official domains.