Openew[.]app cloaked malware download portal
Malware Activity
Summary
Hide ▲
Show ▼
The openew[.]app malware-delivery activity now also uses legitimate ChatGPT shared pages as the first lure, with Google ads and SEO poisoning sending victims to a fake outage/download flow. Push Security said the page is hosted on a chatgpt.com/s/ URL, then redirects users to a cloaked phishing site that impersonates OpenAI's desktop application download portal and can deliver malware on macOS and Windows. The activity is described as InstallFix, a ClickFix variant, and the second-stage page uses conditional rendering to hide the malicious flow from scanners while real users see the download prompt.
Related Happenings
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical Analysis
H score34
First: 25.06.2026 18:00
Last: 25.06.2026 18:00
Sources 1
About this happening:
**Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical AnalysisAbout this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Browser-layer visibility guidance for browser-native threats
Defensive Guidance
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Browser-layer visibility guidance for browser-native threats
Defensive GuidanceAbout this happening: **Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Google DoubleClick malspam campaign delivering DesckVB RAT
Campaign
H score33
First: 03.06.2026 19:29
Last: 03.06.2026 19:29
Sources 1
About this happening:
A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Google DoubleClick malspam campaign delivering DesckVB RAT
CampaignAbout this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
ChatGPT and Claude phishing and malvertising campaign
Campaign
H score36
First: 01.06.2026 12:30
Last: 01.06.2026 12:30
Sources 1
How related:
“The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign – or at least a shared playbook – that is actively experimenting with different platforms and different social engineering approaches to find what converts best,” it explained.
About this happening:
The **ChatGPT**- and **Claude**-themed **phishing and malvertising campaign** is actively steering users to fake download pages that can deliver malware. Attackers are using **Goo...
ChatGPT and Claude phishing and malvertising campaign
CampaignHow related: “The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign – or at least a shared playbook – that is actively experimenting with different platforms and different social engineering approaches to find what converts best,” it explained.
About this happening: The **ChatGPT**- and **Claude**-themed **phishing and malvertising campaign** is actively steering users to fake download pages that can deliver malware. Attackers are using **Goo...
LLMShare ChatGPT share-link malware lure campaign
Campaign
H score47
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
How related:
The "LLMShare" campaign, discovered by Push Security, uses Google ads to direct users searching for ChatGPT to a malicious shared ChatGPT page hosted on chatgpt.com, allowing the attack to be delivered through a legitimate OpenAI domain.
About this happening:
The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...
LLMShare ChatGPT share-link malware lure campaign
CampaignHow related: The "LLMShare" campaign, discovered by Push Security, uses Google ads to direct users searching for ChatGPT to a malicious shared ChatGPT page hosted on chatgpt.com, allowing the attack to be delivered through a legitimate OpenAI domain.
About this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...
Timeline
-
29.05.2026 21:21 3 articles · 1mo ago
Push Security finds ChatGPT share links used to deliver openew[.]app malware downloads
Initial DisclosureSecurity researchers at Push Security identify the LLMShare campaign abusing ChatGPT content-sharing links and Google ads to send searchers to a fake OpenAI outage page rendered through a legitimate chatgpt.com/s/ URL. Visitors who click the download prompt are redirected to openew[.]app, a cloaked site that impersonates OpenAI's desktop application download portal and offers macOS and Windows malware downloads.
Show sources
- ChatGPT share links abused to host fake outage pages to deliver malware — www.bleepingcomputer.com — 29.05.2026 21:21
- ChatGPT share links abused to host fake outage pages to deliver malware — www.bleepingcomputer.com — 29.05.2026 21:21
- Attackers Abuse Shared Content for ChatGPT Phishing Campaign — www.infosecurity-magazine.com — 01.06.2026 12:30