Malware delivery through chatgpt.com/s links
ChatGPT share links have been abused to host a fake OpenAI outage page on the chatgpt.com domain. The lure looks ordinary enough to lower suspicion, then pushes a download prompt that leads away from OpenAI to a malware delivery chain. The odd part is not the phishing trick itself, but the fact that the trusted domain is doing half the attacker’s work.
How the lure lands on a trusted OpenAI domain
Search traffic can send people straight into shared ChatGPT content. In this campaign, Google ads captured searches for ChatGPT and redirected users to malicious shared pages hosted on chatgpt.com. That gives the lure an odd kind of credibility: the address bar shows a legitimate OpenAI domain, so many users stop checking.
Search traffic, shared links and the fake outage page
The page posed as a temporary service problem and used messages such as “We’re experiencing high traffic right now,” and “Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.” That is a neat bit of social engineering because it turns a normal annoyance into a reason to click.
The fake notice was not a static webpage on an attacker domain. It was rendered through ChatGPT with custom HTML and CSS inside the shared content feature. The result is awkward for defenders who rely too heavily on domain reputation. A malicious page on a trusted domain tends to get treated as boring until it does something unpleasant.
Why rendered HTML inside ChatGPT changes the trust boundary
Once a platform renders attacker-controlled HTML, the boundary shifts. The shared link is no longer just a conversation or a text snippet. It can become a branded lure with buttons, layout and messaging that look more polished than a normal phishing page.
That also makes content-sharing features awkward from a security point of view. The platform is trusted, the page is trusted, and the actual content is not. That is a useful shape for social engineering and a miserable one for simple blocklists.
The delivery chain from click to payload
The download button did not lead to a normal OpenAI download path. It redirected victims to openew[.]app, a cloaked site built to impersonate OpenAI’s download portal. From there, the site served malware dressed up as ChatGPT desktop software for macOS and Windows.
From the download button to the openew[.]app impostor portal
The impostor site handled the hand-off. The victim sees a familiar prompt, clicks to continue, then lands on a separate portal that carries the rest of the deception. That split matters because the first page wins trust and the second page does the dirty work.
Cloaking made the portal more annoying to inspect. Some security checks saw a harmless AR and VR company site instead of the malicious download page. That kind of mismatch is a reminder that a live sample and a scanner result are not always the same thing.
Desktop application imposture across Windows and macOS
The payloads were presented as desktop application downloads for both Windows and macOS. That is a sensible choice for attackers because “download the app” sounds like normal support guidance, not a trap. It also fits neatly with the idea that the web app is unavailable and the desktop app is the approved escape hatch.
The malicious path also overlaps with earlier abuse of AI content-sharing features for ClickFix-style lures and infostealer delivery. The pattern is simple: use the platform’s own rendering and sharing machinery to borrow trust, then move the target onto a separate download flow.
Cloaking, environment checks and what analysts still could not see
Analysis of a Windows sample showed environment-check commands that looked for clues about whether the host was a physical machine or a virtual machine. That is a common way to slow down sandbox analysis and reduce visibility.
The final payload was not fully clear in the reporting, which is not unusual. Attackers often do not bother making the first wave obvious if the delivery chain already gets them what they want. In practice, that means the download site and the imposture matter just as much as the last binary.
What to block, watch and verify now
Block access to known malicious shared links where possible, but do not treat chatgpt.com as harmless just because the domain is familiar. Shared content on trusted platforms can carry attacker-controlled rendering, which means your browser filters need more than domain reputation.
Watch for search advertising that routes users to shared content pages rather than normal product pages. That traffic pattern is a decent clue when a brand search lands on something that looks like support or outage messaging.
Verify any prompt telling users to download a desktop app from an outage notice, especially when the browser path starts on a trusted AI domain and then jumps elsewhere. A legitimate service outage does not need an unexplained detour through a clone download portal.
Treat “Show code” and “Remix with ChatGPT” style controls as a sign that the page is rendered content, not a fixed support page. If users are expected to click through an outage banner into a local installer, the page should be treated as hostile until proved otherwise.



