Fake ChatGPT Desktop App Ads Used to Push Password-Stealing Malware

Summary

Hackers are exploiting trusted AI platforms like ChatGPT and Claude through multiple attack vectors. The LLMShare campaign uses sponsored Google ads for "ChatGPT desktop app" queries, redirecting users to legitimate chatgpt.com/s/ URLs where fake outage notices (rendered via ChatGPT's code feature) trick users into downloading malware like Odyssey Stealer. Additional flaws including ChatGPhish exploit AI summarization features to inject phishing links, while SymJack and TrustFall target developer workflows.

Full text

Security Artificial Intelligence MalwareFake ChatGPT Desktop App Ads Used to Push Password-Stealing Malware Fake ChatGPT desktop app ads pushed password-stealing malware by abusing trusted AI links, hiding from scanners, and tricking users into downloads. byDeeba AhmedJune 2, 20263 minute read Hackers are increasingly exploiting trusted artificial intelligence (AI) platforms like ChatGPT and Claude to turn them against their own users. Recently, Hackread.com reported a flaw called ClaudeBleed, discovered by LayerX, which allowed unauthorised browser extensions to hijack Anthropic Claude’s interface. Now, hackers are reportedly abusing official features of these AI tools to spread malware while easily evading web filters and security checks. The Fake Outage Trick These observations are strengthened by new research from security firm Push Security disclosing a campaign named LLMShare involving what researchers called InstallFix attacks. “These are essentially InstallFix attacks — a variant of the ClickFix family…, and they exploit the fact that AI tools have normalized command-line installation workflows for a population of users who lack the experience to distinguish a legitimate terminal command from a malicious one,” researchers explained. In this specific campaign, discovered on May 29, hackers purchased sponsored Google search ads for high-volume queries like “ChatGPT desktop app” and “ChatGPT download”. Clicking the ad sent users to a genuine chatgpt.com/s/ address. This means corporate firewalls passed the traffic without inspection. However, researchers found that hackers used ChatGPT’s code-rendering feature to create a fake outage notice inside that real link. This page claimed the web version was temporarily unavailable and urged users to download a desktop app, after which they were redirected to a lookalike site, openew.app. LLMShare Campaign Fake Download page (Source: Push Security) This site was cleverly designed to deliver malicious executables developed for both Windows and macOS. On Mac devices, the payload was identified as Odyssey Stealer, an Atomic macOS Stealer variant that targets browser-saved passwords, crypto wallets, and session tokens. The download site used a conditional rendering technique to prevent malware detection. Using this technique, when automated scanners like URLScan checked the link, the site masked itself by showing a harmless virtual reality company website, while real users saw the malware trap. Exploiting AI Summaries Another flaw was discovered and reported by Permiso Security. Dubbed ChatGPhish, this flaw targets how ChatGPT handles Markdown content when summarising third-party websites. Researchers noted that an attacker can inject malicious code into an ordinary webpage, and when a user asks ChatGPT to summarise that page, the AI automatically fetches the hacker’s live, clickable phishing links, QR codes, or fake security alerts directly into the trusted chat interface. “In our testing, Firefox acted as the entry point. The victim browsed to a page, invoked ChatGPT’s page summarization flow, and the page content was passed into the assistant. Once that happened, attacker-controlled text from the page could influence the model’s response. The response was then rendered inside ChatGPT with live links and images… but this is not a Firefox or browser vulnerability. The browser simply passes page content into ChatGPT’s summarization flow. The real issue is that attacker-controlled content can be rendered as trusted UI inside the LLM experience,” the blog post revealed. ChatGPhish Campaign (source: Permiso Security) However, this doesn’t end here. Two critical developer-focused techniques were also reported by a firm called Adversa AI. One is called SymJack, and the other is TrustFall. SymJack: This attack tricks AI coding assistants into a benign file copy that overwrites their own configuration files, leading to remote code execution. TrustFall: This method uses成 malicious software repositories to auto-approve dangerous commands via the Model Context Protocol (MCP) without user consent. Possible Consequences These information-stealing campaigns have dangerous real-world impacts. In fact, IBM’s X-Force 2026 Threat Intelligence Index found that over 300,000 ChatGPT credentials have already been leaked on the dark web. These were stolen directly from user devices compromised by malware like the ones distributed in these campaigns. Therefore, to stay safe, cybersecurity experts advise avoiding sponsored search ads and visiting official vendor domains only for software updates. (Photo by Mariia Shalabaieva on Unsplash) Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AIAnthropicChatGPTClaudeClaudeBleedCyber AttackCybersecurityMalwareScamVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Security Researchers Found Critical Vulnerability in LG’s Update Center Application The LG Update Center Application faces yet another threat of cyber attack as was discovered by SEARCH-LAB Ltd… byWaqas Security Update your devices: New Bluetooth flaw lets attackers monitor traffic The Bluetooth flaw also opens door to a man-in-the-middle attack. The IT security researchers at Israel Institute of Technology have discovered a… byWaqas Read More Security Malware Newly Surfaced ThirdEye Infostealer Targeting Windows Devices For now, ThirdEye infostealer has demonstrated behavior that is highly malicious, albeit not-so-sophisticated in its patterns. byWaqas Security Malware Malware can fully compromise building control systems Enterprise security vendor ForeScout’s operational technology research unit has developed a PoC (Proof-of-Concept) malware that exposed the vulnerabilities in… byWaqas

Indicators of Compromise

• domain — openew.app
• malware — Odyssey Stealer

Entities