ChatGPT share links abused to host fake outage pages to deliver malware

Key Points:

• Threat actors are exploiting ChatGPT's content-sharing feature to create fake outage pages that lure users into downloading malware disguised as the ChatGPT desktop application.
• The campaign, identified as "LLMShare," impacts users searching for ChatGPT, directing them to a malicious page hosted on a legitimate OpenAI domain. Users are misled by a fake outage message prompting them to download malware.
• Security teams should monitor for suspicious Google ads, block access to known malicious URLs, and educate users about the risks of downloading applications from unofficial sources.

Technical Details: The attackers utilize custom HTML and CSS rendered through ChatGPT to create a convincing fake outage notice. The malicious download link leads to openew[.]app, which impersonates OpenAI's legitimate download portal.

MITRE ATT&CK Techniques:

• T1566 - Phishing (Initial Access)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)

IOCs Mentioned:

• openew[.]app