Find notable cyber news and cases, enriched with sources, timelines, and signals.

ChatGPT and Claude phishing and malvertising campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The ChatGPT- and Claude-themed phishing and malvertising campaign is actively steering users to fake download pages that can deliver malware. Attackers are using Google ads, SEO poisoning, and shared-content lures to make the pages look legitimate across multiple variants. The flow presents a bogus outage notice or installation guide, then pushes users toward a malicious download path. Conditional rendering helps the infrastructure hide from scanners while real users are exposed to the payload.

Related Happenings

Openew[.]app cloaked malware download portal

Malware Activity
H score26 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

How related: Because the first page is hosted on a chatgpt.com/s/ URL, it is trusted by most scanning tools, Push Security warned.

About this happening: The openew[.]app malware-delivery activity now also uses legitimate ChatGPT shared pages as the first lure, with Google ads and SEO poisoning sending victims to a...

LLMShare ChatGPT share-link malware lure campaign

Campaign
H score47 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The LLMShare campaign is using Google ads and a legitimate chatgpt.com shared page to route people searching for ChatGPT into a fake OpenAI outage lure that pu...

GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations

Campaign
H score39 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian,...

InstallFix Claude Code malvertising campaign

Campaign
H score32 First: 06.03.2026 17:00 Last: 06.03.2026 17:00 Sources 1

About this happening: InstallFix is being used in an active malvertising operation that pushes cloned Claude Code install pages and malicious CLI instructions, putting users who search for...

ChatGPT Mods token-stealing browser-extension campaign

Campaign
H score45 First: 30.01.2026 15:42 Last: 30.01.2026 15:42 Sources 1

About this happening: The ChatGPT Mods campaign used 16 browser extensions to inject a content script into chatgpt[.]com, stealing authentication tokens that could let operators imperso...

Timeline

  1. 01.06.2026 12:30 2 articles · 1mo ago

    Threat actors abuse ChatGPT and Claude features to deliver malware

    Initial Disclosure

    Threat actors are using ChatGPT code-rendering and shared-content features, along with Claude shared chats, to host phishing pages that spoof the brand, lure victims through malicious Google ads and SEO poisoning, and redirect them to fake download flows that can install malware. The pages use conditional rendering so real users see a malicious download prompt while automated scanners see benign content, and one variant disguises a shared chat as a “Claude Code on Mac” installation guide attributed to “Apple Support” with a curl command that downloads and executes malware. Push Security describes the activity as InstallFix attacks, a ClickFix variant, and says infostealer malware is suspected.

    Show sources