Security researchers in recent months have documented threat actors exploiting shared content features in AI chatbots like OpenAI’s ChatGPT and Anthropic’s Claude to lure unsuspecting users into downloading malware, examples of how attackers increasingly are targeting individuals’ trust in AI platforms.

Researchers with Push Security recently detected a campaign they label LLMShare that has advanced bad actors’ methods, moving beyond planting terminal commands in shared conversations. Instead, the latest attacks show hackers using ChatGPT’s code-rendering capabilities to build a fake error page inside a shared chat aimed at convincing users to download malware that is made to look like the chatbot’s desktop app.

Previous tactics leaned on shared conversations, with the bad actor creating a chat that included instructions for victims to follow that involved pasting a command into their terminal, with the AI chatbot appearing to help users through an installation process.

“But now, rather than a shared conversation, the attacker has used ChatGPT’s code rendering feature to create a fully designed, self-contained web page,” Keanu Maharaj, senior security researcher at Push, wrote in a report. “It renders as what appears to be a ChatGPT service disruption notice.”

The Appearance of Legitimacy

The notice tells the user that the website is temporarily unavailable due to high traffic and suggests that they install the desktop app, and displays a download button. Users are led to the malicious chat page through Google ads, with the page hosted on a trusted OpenAI domain. If a user clicks on the download button, they’re directed to a legitimate-looking clone of the chatbot’s official desktop app download page that includes OpenAI branding, download buttons for both Windows and macOS users, a mobile download capability and a Chrome extension link.

“The shared-chat technique adds a new dimension: the destination URL itself is genuine (chatgpt.com, claude.ai), which means even a cautious user who checks the URL before clicking will see nothing suspicious,” Maharaj wrote.

A Similar Claude Campaign

The ChatGPT campaign is similar to a variant used by bad actors targeting Claude users, he wrote. In these attacks, a shared chat is disguised as an installation guide for putting the Claude Code developer tool onto a Mac and attributed to Apple Support. The “guide” includes a curl command that downloads and executes malware.

“The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign — or at least a shared playbook — that is actively experimenting with different platforms and different social engineering approaches to find what converts best,” he wrote.

The ChatGPT campaign “is one example of a much broader pattern that has become one of the defining characteristics of the 2026 threat landscape: attackers systematically abusing legitimate platforms as attack infrastructure,” Maharaj wrote. “The scale and variety of this abuse in recent months alone is striking, and it spans every stage of the phishing chain.”

“The key to this campaign is the reliance on user trust,” said Pete Luban, field CISO at AttackIQ. “A fake outage page sitting inside a real ChatGPT share link feels much more believable than a random phishing site, which lowers suspicion quickly. The user sees a trusted domain, a familiar product, and a plausible reason to download something.”

No Reason to Distrust

The ChatGPT rendered-page variant also is a step up from previous attacks, he wrote. In the case of Claude, the attack surface was visible – victims could recognize that a shared chat instructing them to paste terminal commands may be suspicious, though not all would.

“The rendered-page variant shows nothing that looks like an attack,” he wrote. “It presents what appears to be a routine service disruption with a reasonable call to action: download the desktop app to continue using ChatGPT.”

It exploits the trust that users – and traditional security controls – have in such AI platforms. Features like domain reputation, URL categorization, and safe browsing databases treat chatgpt.com and claude.ai as trusted sites because they are, according to Maharaj.

Targeting Trust

“Although cybersecurity has traditionally treated trust as something to be controlled, modern threat actors increasingly treat trust as something to be exploited,” researchers with European IT services and consulting company Conscia wrote. “This is the defining pattern of many modern intrusions: attackers are not only exploiting technical vulnerabilities. They are exploiting the relationships, identities, tools, and dependencies that organizations already rely on.”

Priyanka Aash, co-founder of agentic AI security platform provider FireCompass, wrote that “the battleground is shifting from infrastructure to trust planes – third‑party providers, collaboration platforms, and user perception. CISOs must assume that any trusted platform (VPN brands, booking systems, messaging apps) can become a vehicle for extortion or intrusion, even when core infrastructure is not technically breached.”

Speaking with DevOps.com last month about recent Shai-Hulud campaigns, Chuck Randolph, senior vice president for strategic intelligence and security at 360 Privacy, said that “modern attacks increasingly exploit trust rather than simply targeting vulnerabilities. Whether it is software ecosystems, digital identities, or interconnected platforms, adversaries are learning to weaponize trusted relationships to gain speed, scale, and operational access.”

Recent Articles By Author

• France to Stop Certifying Products Without Quantum-Safe Encryption in 2027
• Malwarebytes Finds Ad Scams Hidden in 40+ World Cup Streaming Sites
• Google Sues Chinese Threat Group Using Gemini AI in Phishing Scams

More from Jeffrey Burt