Find notable cyber news and cases, enriched with sources, timelines, and signals.

Openew[.]app cloaked malware download portal

Malware Activity
First reported
Last updated
Happening score
H score 26
2 unique sources, 2 articles

Summary

Hide ▲

The openew[.]app malware-delivery activity now also uses legitimate ChatGPT shared pages as the first lure, with Google ads and SEO poisoning sending victims to a fake outage/download flow. Push Security said the page is hosted on a chatgpt.com/s/ URL, then redirects users to a cloaked phishing site that impersonates OpenAI's desktop application download portal and can deliver malware on macOS and Windows. The activity is described as InstallFix, a ClickFix variant, and the second-stage page uses conditional rendering to hide the malicious flow from scanners while real users see the download prompt.

Related Happenings

Bluekit adopts rrweb-based BitM session streaming for login theft

Technical Analysis
H score34 First: 25.06.2026 18:00 Last: 25.06.2026 18:00 Sources 1

About this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...

Browser-layer visibility guidance for browser-native threats

Defensive Guidance
H score22 First: 05.06.2026 17:00 Last: 05.06.2026 17:00 Sources 1

About this happening: **Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...

Google DoubleClick malspam campaign delivering DesckVB RAT

Campaign
H score33 First: 03.06.2026 19:29 Last: 03.06.2026 19:29 Sources 1

About this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...

ChatGPT and Claude phishing and malvertising campaign

Campaign
H score36 First: 01.06.2026 12:30 Last: 01.06.2026 12:30 Sources 1

How related: “The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign – or at least a shared playbook – that is actively experimenting with different platforms and different social engineering approaches to find what converts best,” it explained.

About this happening: The **ChatGPT**- and **Claude**-themed **phishing and malvertising campaign** is actively steering users to fake download pages that can deliver malware. Attackers are using **Goo...

LLMShare ChatGPT share-link malware lure campaign

Campaign
H score47 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

How related: The "LLMShare" campaign, discovered by Push Security, uses Google ads to direct users searching for ChatGPT to a malicious shared ChatGPT page hosted on chatgpt.com, allowing the attack to be delivered through a legitimate OpenAI domain.

About this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...

Timeline

  1. 29.05.2026 21:21 3 articles · 1mo ago

    Push Security finds ChatGPT share links used to deliver openew[.]app malware downloads

    Initial Disclosure

    Security researchers at Push Security identify the LLMShare campaign abusing ChatGPT content-sharing links and Google ads to send searchers to a fake OpenAI outage page rendered through a legitimate chatgpt.com/s/ URL. Visitors who click the download prompt are redirected to openew[.]app, a cloaked site that impersonates OpenAI's desktop application download portal and offers macOS and Windows malware downloads.

    Show sources