ChatGPT share links abused to host fake outage pages to deliver malware

Cybersecurity researchers have uncovered a sophisticated social engineering campaign that weaponizes a core collaboration feature of OpenAI’s ChatGPT. By exploiting the platform’s "share links"—originally designed to allow users to showcase AI-generated conversations—threat actors are hosting convincing, fake "system outage" pages. These pages instruct unsuspecting users to download a purported ChatGPT desktop application to restore service, which in reality is a credential-stealing Trojan. This evolution in phishing tactics marks a departure from traditional malicious URLs, leveraging the inherited trust of a "chatgpt.com" domain to bypass standard security filters and human intuition.

The tactic relies on the psychology of the modern AI user. As OpenAI’s infrastructure occasionally struggles with high demand, "service unavailable" messages have become a familiar sight for the platform's hundreds of millions of monthly visitors. Hackers are capitalizing on this normalcy. By creating a shared chat link and filling the initial prompt with HTML-like formatting and official OpenAI branding, they can mirror the aesthetic of a legitimate technical support alert. Because the content is hosted on OpenAI’s own infrastructure, the URL appears benign to most email security gateways and firewall blacklists, which typically categorize the domain as a "trusted" productivity tool.

Mechanically, the exploit is an ingenious form of "living-off-the-land" social engineering. The attacker generates a shared conversation link where the AI’s response is manipulated to look like a full-screen notification. When a victim views the link, they are met with a professional-looking interface claiming that web access is currently restricted but that the "desktop client" remains operational. A "Download" button then redirects the user to a third-party file-hosting site or a direct link to a malicious executable. Once installed, the malware—often a variant of RedLine or Lumma Stealer—begins harvesting browser cookies, saved passwords, and cryptocurrency wallet data from the victim’s machine.

This incident underscores a broader shift in the threat landscape: the "trust-washing" of malicious content through reputable SaaS platforms. For years, attackers have used Google Drive, Dropbox, and Microsoft OneDrive to host malware because these domains are rarely blocked in corporate environments. The inclusion of OpenAI in this list was inevitable. However, the interactive nature of ChatGPT adds a layer of complexity; unlike a static PDF on Google Drive, a "shared chat" link feels like a live, verified interaction within a proprietary ecosystem. For enterprise IT departments, this creates a new headache, as they cannot simply block "chatgpt.com" without disrupting legitimate business workflows.

The competitive and regulatory implications are equally significant. As OpenAI prepares to deepen its footprint in the enterprise sector with dedicated desktop applications and deeper OS integrations, the integrity of its communication channels is paramount. This campaign highlights a critical vulnerability in how AI platforms handle user-generated content that mimics system UI. Regulators in the EU and North America, currently focused on AI safety and misinformation, may soon pivot toward "AI-assisted cybercrime" and the responsibilities of platform providers to sanitize shared outputs against UI-spoofing techniques.

Moving forward, the industry must watch how OpenAI and its peers respond to this "identity crisis" of shared links. Potential solutions could involve more aggressive sandboxing of shared content, restricting the use of certain formatting styles that mimic system alerts, or implementing more robust visual cues to distinguish between AI-generated conversation and platform-level notifications. Furthermore, as the "ChatGPT desktop app" remains a primary lure, the official release of more native applications by OpenAI will ironically provide attackers with even more convincing "official" covers for their malware. Vigilance will require a shift in user education: if a chatbot tells you it’s broken, do not look for a fix in the download folder.