HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Threat Actors Abuse ChatGPT Share Links to Host Fake Outage Pages Delivering Malware

Threat actors are exploiting OpenAI's ChatGPT Share feature to publish counterfeit outage notices that lure users into downloading malware. The malicious pages are hosted on the legitimate chatgpt.com domain, making detection difficult and expanding the supply‑chain risk for organizations that rely on AI SaaS tools.

LiveThreat™ Intelligence · 📅 May 30, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Threat Actors Abuse ChatGPT Share Links to Host Fake Outage Pages Delivering Malware

What Happened — Threat actors are leveraging OpenAI’s “ChatGPT Share” feature to publish malicious pages that mimic an official outage notice. When users click the “Download desktop app” button they are redirected to a counterfeit OpenAI download site that serves Windows and macOS malware.

Why It Matters for TPRM

  • The abuse occurs on a legitimate chatgpt.com domain, bypassing many URL‑based defenses.
  • Malware distribution via a trusted SaaS platform expands the attack surface of any organization that permits employee use of AI tools.
  • Similar tactics have been observed on other AI platforms, indicating a growing supply‑chain style threat vector.

Who Is Affected — SaaS/AI providers, enterprises that integrate ChatGPT into workflows, and end‑users across all industries.

Recommended Actions

  • Block or closely monitor outbound traffic to chatgpt.com/s/* URLs.
  • Educate users that OpenAI does not distribute desktop installers via shared links.
  • Deploy web‑gateway URL‑reputation controls that flag redirects to unknown domains (e.g., openew.app).
  • Review third‑party risk assessments for AI SaaS vendors to ensure they cover content‑sharing abuse scenarios.

Technical Notes — The campaign (named “LLMShare”) uses Google Ads to drive search traffic to a crafted shared link (chatgpt.com/s/...). The page renders custom HTML/CSS via ChatGPT’s rendering engine, displaying a fake outage banner and a download button. The download redirects to openew.app, which hosts cloaked malware binaries that perform VM detection and install infostealers. Similar abuse has been reported on Claude (Anthropic) and Grok (Microsoft). Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/chatgpt-share-links-abused-to-host-fake-outage-pages-to-deliver-malware/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →