Overview
Threat actors have discovered a novel abuse vector targeting ChatGPT users: publicly shareable ChatGPT conversation links are being weaponized to host convincing fake OpenAI service outage pages. These pages display fabricated "ChatGPT is currently unavailable" messages and prompt visitors to download a trojanized ChatGPT desktop application that installs malware on their systems.
The technique leverages the trust users place in chat.openai.com URLs — since the phishing content is hosted on OpenAI's own sharing infrastructure, standard URL-based security controls that block known-bad domains provide no protection.
How the Attack Works
Step 1: Creating the Malicious Share Link
Attackers use ChatGPT's built-in conversation sharing feature — designed for legitimate users to share their chat histories publicly — to create a convincing fake "outage notification" conversation. The shared conversation renders in a browser at a legitimate chat.openai.com/share/... URL.
Step 2: The Fake Outage Page
The shared content mimics an OpenAI system status notification, informing visitors that ChatGPT is experiencing a service disruption and that they should:
- Download the "ChatGPT Desktop App" to access an offline-capable version
- Or install a "service continuity tool" that maintains access during outages
The page is designed to create urgency and exploit the trust of users who rely on ChatGPT for daily work.
Step 3: Malware Delivery
Victims who click the download link receive a trojanized installer. The malicious payload has been observed to include:
- Infostealers — harvesting browser-saved credentials, cookies, and session tokens
- Clipboard hijackers — monitoring and replacing cryptocurrency addresses
- Keyloggers — capturing typed credentials in real time
- Backdoors — establishing persistent remote access to compromised systems
Why This Attack Is Particularly Effective
| Factor | Impact |
|---|---|
| Trusted domain | Hosted on chat.openai.com — bypasses domain reputation filters |
| Plausible pretext | ChatGPT outages are real and users have experienced them |
| High-value targets | ChatGPT users are often professionals with access to corporate systems |
| No technical barrier | Exploits an existing legitimate platform feature — no hacking required |
| Scalable | Attackers can create many share links rapidly and cycle through them |
The Broader AI Platform Abuse Trend
This attack is part of a growing pattern of AI platform abuse observed throughout 2026:
- Fake OpenAI repositories on Hugging Face distributing infostealer malware (May 2026)
- Google Ads targeting Claude AI chat users to push macOS malware (May 2026)
- Claude AI Artifacts abused for ClickFix attacks delivering MacSync infostealer
- North Korean actors using AI-generated video content in ClickFix cryptocurrency attacks
As AI platforms gain mainstream adoption, they become high-value phishing and malware delivery targets precisely because users have developed trust in their associated domains and branding.
Indicators of Compromise
Organizations should watch for:
- Downloads of executables from
chat.openai.com/share/links — OpenAI does not distribute software this way - Process execution of unsigned or suspiciously named installers following browsing of AI platform pages
- Sudden credential theft alerts or unusual authentication from known-good user accounts
- Network connections to unusual C2 infrastructure shortly after ChatGPT-related web activity
Recommendations
For End Users
- OpenAI does not distribute desktop software through shared chat links — any such prompt is a scam
- Download ChatGPT applications only from official sources:
openai.comor verified app stores - If you believe you downloaded a malicious file, immediately revoke browser sessions and rotate passwords for all accounts accessible from that device
- Enable hardware-backed MFA on critical accounts — session cookies stolen by infostealers can bypass SMS-based 2FA
For Security Teams
- Block downloads from
chat.openai.com/share/URLs — this path should not be a software distribution vector - Alert on executables downloaded from AI platform share domains
- Monitor for process creation events following browser visits to AI sharing URLs
- Brief employees on AI platform impersonation attacks — the trusted-domain angle makes this threat particularly convincing
For OpenAI
Shared chat content that contains download links or mimics service status pages represents an abuse of the sharing feature. Proactive filtering of shared conversations containing executable download links or outage-mimicking content would significantly reduce attacker effectiveness.
Key Takeaways
- Attackers are hosting malware delivery pages inside legitimate ChatGPT shared conversation links — exploiting the trusted
chat.openai.comdomain - The fake outage pretext is effective because ChatGPT service interruptions are a real user experience
- Infostealers delivered through this vector target browser-saved credentials, session tokens, and cryptocurrency wallets
- OpenAI does not distribute software through conversation share links — any such prompt is malicious
- This attack requires no technical exploit — it is a pure social engineering abuse of a legitimate platform feature