Contact Us

Blog

Rss Feed

Home  ›  Blog  ›  ChatGPT Is Now a Malware Delivery Platform: The "LLMShare" Campaign Explained

ChatGPT Is Now a Malware Delivery Platform: The "LLMShare" Campaign Explained

Published June 4th, 2026 by Bayonseo

General

Researchers have discovered a new attack campaign in which hackers spread malware by abusing ChatGPT's built-in sharing capability. The malicious sites are hosted on OpenAI's own domain. The effort, known as "LLMShare," is presently underway on ChatGPT, and comparable assaults have also been observed on Claude. While staying inside a genuine OpenAI URL, the method takes advantage of the AI chat interface to show a phony "ChatGPT for Desktop" download page that links to malware.


How the Attack Works

Attackers produce a convincing HTML webpage that appears to be an official service-disruption notification by using ChatGPT's content-rendering functionality. The "Show code" and "Remix with ChatGPT" buttons on the page indicate that this is not an official OpenAI announcement. However, the page feels much more reliable than a random phishing site because it is hosted on OpenAI's own domain (chatgpt.com).

  • "We're experiencing high traffic right now," the fictitious outage notification says. Due to a high volume of users, our website is now inaccessible. To continue, download our desktop app." A plausible replica of ChatGPT's official download page appears when the download button is clicked, and it contains:
  • OpenAI logos and branding
  • Distinct download buttons for Windows and macOS
  • A link to a Chrome addon

    In order to evade detection, the malicious website employs cloaking, wherein security scanners and bots are presented with an entirely different—typically benign—page while actual visitors view the phony download page. Security teams find it far more difficult to locate the malicious infrastructure as a result.



Why the Attack Works (and Why It's Dangerous)

According to Push Security researchers, the attack mostly depends on user trust. According to Pete Luban, Field CISO at AttackIQ, "a fake outage page sitting inside a real ChatGPT share link feels much more believable than a random phishing site, which lowers suspicion quickly." "The user sees a trusted domain, a familiar product, and a plausible reason to download something."

The attacker obtains a footing once the user installs the virus. The true risk, according to Luban, is what transpires following the click: credentials theft, remote access, or additional lateral network movement. While an unprepared business would dismiss the occurrence as "just a user mistake," attackers are actively leveraging this initial access to search for open routes and important data.


Not Just ChatGPT – The Campaign Is Growing

A similar tactic was also seen on Claude, where hackers set up a shared chat that appeared to be an installation tutorial for "Claude Code on Mac" that was purportedly authored by "Apple Support." The similar variations of this assault on several AI platforms imply that hackers are methodically testing various social engineering techniques in order to increase their impact.

In previous attacks, thieves have bought sponsored Google search results that produced modified ChatGPT responses, deceiving victims into installing Atomic macOS Stealer.


How to Protect Yourself

Since the attack makes use of trustworthy, reputable domains, conventional URL filters might not be helpful in this situation. Rather, you ought to:

  • Be suspicious of any unsolicited prompts or messages that ask you to download software from links inside AI chat platforms.
  • Verify official sources by navigating directly to OpenAI’s or Claude’s official website, rather than clicking on links from search ads or shared chat pages.
  • Monitor your environment for unusual downloads or unexpected requests for desktop app installations, especially those originating from AI chat platforms.
  • Educate your teams that trusted domains alone are no longer a guarantee of safety; adversaries can now host malicious content on fully legitimate infrastructure.


How Bayon Technologies Group Can Help You Stay Safe

At Bayon Technologies Group, we assist companies in defending themselves against social engineering and attacks that exploit reliable systems. Among the services we offer are:

  • Sophisticated threat detection that finds unusual website content and masking strategies by looking beyond domain reputation.
  • Security awareness training that instructs users to spot and report dubious downloads and prompts, even when they come from reliable sources.
  • Ongoing surveillance to identify early indicators of compromise, like unexpected installations of desktop programs or network connections to unidentified infrastructure.
  • Incident response to swiftly contain and fix a malware or phishing campaign that has been successful.

Attackers are becoming more adept at hiding within the very platforms you rely on. To create a robust, multi-layered security posture that stays ahead of changing threats, get in touch with Bayon Technologies Group today!

‹ Back

Serving South Florida businesses: Florida City, Miami, Coral Gables, Doral, Hollywood, Fort Lauderdale, Sunrise, Boca Raton