Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ChatGPT and Claude phishing and malvertising campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The ChatGPT- and Claude-themed phishing and malvertising campaign is actively steering users to fake download pages that can deliver malware. Attackers are using Google ads, SEO poisoning, and shared-content lures to make the pages look legitimate across multiple variants. The flow presents a bogus outage notice or installation guide, then pushes users toward a malicious download path. Conditional rendering helps the infrastructure hide from scanners while real users are exposed to the payload.

Related Happenings

Openew[.]app cloaked malware download portal

Malware Activity
First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

How related: Because the first page is hosted on a chatgpt.com/s/ URL, it is trusted by most scanning tools, Push Security warned.

About this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...

Open Happening

LLMShare ChatGPT share-link malware lure campaign

Campaign
First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...

Open Happening

GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations

Campaign
First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...

Open Happening

InstallFix Claude Code malvertising campaign

Campaign
First: 06.03.2026 17:00 Last: 06.03.2026 17:00 Sources 1

About this happening: **InstallFix** is being used in an active **malvertising** operation that pushes cloned **Claude Code** install pages and malicious CLI instructions, putting users who search for...

Open Happening

ChatGPT Mods token-stealing browser-extension campaign

Campaign
First: 30.01.2026 15:42 Last: 30.01.2026 15:42 Sources 1

About this happening: The **ChatGPT Mods** campaign used **16 browser extensions** to inject a **content script** into **chatgpt[.]com**, stealing authentication tokens that could let operators imperso...

Open Happening

Timeline

  1. 01.06.2026 12:30 2 articles · 7h ago

    Threat actors abuse ChatGPT and Claude features to deliver malware

    Initial Disclosure

    Threat actors are using ChatGPT code-rendering and shared-content features, along with Claude shared chats, to host phishing pages that spoof the brand, lure victims through malicious Google ads and SEO poisoning, and redirect them to fake download flows that can install malware. The pages use conditional rendering so real users see a malicious download prompt while automated scanners see benign content, and one variant disguises a shared chat as a “Claude Code on Mac” installation guide attributed to “Apple Support” with a curl command that downloads and executes malware. Push Security describes the activity as InstallFix attacks, a ClickFix variant, and says infostealer malware is suspected.

    Show sources
    Open in new tab