Why did AI platforms become the perfect place to house hidden viruses?
The attackers have found an unpleasant way to use trust in the ChatGPT domain. They publish fake pages with a message about a bounce directly through the ChatGPT shared link function, and then slip users malware under the guise of an OpenAI desktop application.
The LLMShare campaign was detected by Push Security. The attack starts with Google ads designed for people who are looking for ChatGPT. After the click, the user does not get to a suspicious third-party site, but to the shared access page on the chatgpt.com domain. This is what makes the scheme more dangerous than conventional phishing: the address looks legitimate and is associated with a real OpenAI service.
On the page, instead of the usual correspondence, a neatly issued notification of the alleged temporary inaccessibility of the web version is shown. The user is explained that the service is overloaded due to the large number of visitors, and offer to continue working through a desktop application. The load button is no longer leading to OpenAI, but to a fake site.
An important detail is that a fake notification is not placed on the infrastructure of the attackers in the usual form. The page is drawn by ChatGPT itself. The attackers prepared HTML and CSS through a request to the model, published the result as a general link and received a convincing plug on this domain chatgpt.com.
Push Security notes that this page shows controls like “Show code” and “Remix with ChatGPT”. They show that the malfunction notification is collected as a custom HTML code, and not as an OpenAI system message. For an ordinary visitor, this difference may be imperceptible, especially if the transition began with an advertisement in the search.
After clicking on the user download button, the openew[.app” button is transferred to the openew website. It simulates the download page of the OpenAI desktop application and offers versions for macOS and Windows. Both downloads, according to researchers, install malware.
The site uses camouflage. When it was opened by link verification systems, such as URLScan, they were shown a harmless page of the company from the field of augmented and virtual reality. Targeted visitors were given a fake ChatGPT download page. Such a technique helps to hide the malicious infrastructure longer from automatic analyzers and security services.
The exact set of malicious functions has not yet been disclosed. The researchers do not specify which programs are installed on the devices in the final of the attack. However, similar campaigns, where common access functions were abused on AI platforms, previously distributed data captors. Such malware usually searches for passwords, cookies, session tokens, crypto wallets, and other information that can be monetized quickly.
Verification of the Windows version in Any.Run showed that the file executes commands to evaluate the environment. The program is trying to understand whether it is running on a real computer or in a virtual machine. This behavior is often used by malicious downloaders and spyware so as not to reveal the main activity in the sandboxes of researchers.
LLMShare is not the only example of an attack through the content publishing functions in AI services. Push Security also observed the abuse of Claude Artifacts, anthropic mechanism to showcase interactive pages and applications. In these cases, the attackers placed ClickFix bait: the user was persuaded to execute commands manually, ostensibly to fix the error or install the desired program.
Similar schemes have appeared before. In one campaign, attackers bought Google ads for queries related to the Claude loading, and then led people to shared pages with malicious instructions. In other cases, ChatGPT and Group’s general links were used for fake software installation executives, where the victim was asked to execute the commands that install the malware.
The main problem with such attacks is that attackers cease to rely only on fake domains. They use real AI platforms, real addresses and the usual shared access interface. Therefore, not only the domain should be suspicious, but also the script itself: if the page with chatgpt.com suddenly reports a failure and offers to download the application from another site, it is better to close such a download and go to the official resource manually.
The attackers have found an unpleasant way to use trust in the ChatGPT domain. They publish fake pages with a message about a bounce directly through the ChatGPT shared link function, and then slip users malware under the guise of an OpenAI desktop application.
The LLMShare campaign was detected by Push Security. The attack starts with Google ads designed for people who are looking for ChatGPT. After the click, the user does not get to a suspicious third-party site, but to the shared access page on the chatgpt.com domain. This is what makes the scheme more dangerous than conventional phishing: the address looks legitimate and is associated with a real OpenAI service.
On the page, instead of the usual correspondence, a neatly issued notification of the alleged temporary inaccessibility of the web version is shown. The user is explained that the service is overloaded due to the large number of visitors, and offer to continue working through a desktop application. The load button is no longer leading to OpenAI, but to a fake site.
An important detail is that a fake notification is not placed on the infrastructure of the attackers in the usual form. The page is drawn by ChatGPT itself. The attackers prepared HTML and CSS through a request to the model, published the result as a general link and received a convincing plug on this domain chatgpt.com.
Push Security notes that this page shows controls like “Show code” and “Remix with ChatGPT”. They show that the malfunction notification is collected as a custom HTML code, and not as an OpenAI system message. For an ordinary visitor, this difference may be imperceptible, especially if the transition began with an advertisement in the search.
After clicking on the user download button, the openew[.app” button is transferred to the openew website. It simulates the download page of the OpenAI desktop application and offers versions for macOS and Windows. Both downloads, according to researchers, install malware.
The site uses camouflage. When it was opened by link verification systems, such as URLScan, they were shown a harmless page of the company from the field of augmented and virtual reality. Targeted visitors were given a fake ChatGPT download page. Such a technique helps to hide the malicious infrastructure longer from automatic analyzers and security services.
The exact set of malicious functions has not yet been disclosed. The researchers do not specify which programs are installed on the devices in the final of the attack. However, similar campaigns, where common access functions were abused on AI platforms, previously distributed data captors. Such malware usually searches for passwords, cookies, session tokens, crypto wallets, and other information that can be monetized quickly.
Verification of the Windows version in Any.Run showed that the file executes commands to evaluate the environment. The program is trying to understand whether it is running on a real computer or in a virtual machine. This behavior is often used by malicious downloaders and spyware so as not to reveal the main activity in the sandboxes of researchers.
LLMShare is not the only example of an attack through the content publishing functions in AI services. Push Security also observed the abuse of Claude Artifacts, anthropic mechanism to showcase interactive pages and applications. In these cases, the attackers placed ClickFix bait: the user was persuaded to execute commands manually, ostensibly to fix the error or install the desired program.
Similar schemes have appeared before. In one campaign, attackers bought Google ads for queries related to the Claude loading, and then led people to shared pages with malicious instructions. In other cases, ChatGPT and Group’s general links were used for fake software installation executives, where the victim was asked to execute the commands that install the malware.
The main problem with such attacks is that attackers cease to rely only on fake domains. They use real AI platforms, real addresses and the usual shared access interface. Therefore, not only the domain should be suspicious, but also the script itself: if the page with chatgpt.com suddenly reports a failure and offers to download the application from another site, it is better to close such a download and go to the official resource manually.
