ChatGPT and Claude phishing and malvertising campaign
Campaign
Summary
Hide ▲
Show ▼
The ChatGPT- and Claude-themed phishing and malvertising campaign is actively steering users to fake download pages that can deliver malware. Attackers are using Google ads, SEO poisoning, and shared-content lures to make the pages look legitimate across multiple variants. The flow presents a bogus outage notice or installation guide, then pushes users toward a malicious download path. Conditional rendering helps the infrastructure hide from scanners while real users are exposed to the payload.
Related Happenings
Openew[.]app cloaked malware download portal
Malware Activity
H score26
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
How related:
Because the first page is hosted on a chatgpt.com/s/ URL, it is trusted by most scanning tools, Push Security warned.
About this happening:
The openew[.]app malware-delivery activity now also uses legitimate ChatGPT shared pages as the first lure, with Google ads and SEO poisoning sending victims to a...
Openew[.]app cloaked malware download portal
Malware ActivityHow related: Because the first page is hosted on a chatgpt.com/s/ URL, it is trusted by most scanning tools, Push Security warned.
About this happening: The openew[.]app malware-delivery activity now also uses legitimate ChatGPT shared pages as the first lure, with Google ads and SEO poisoning sending victims to a...
LLMShare ChatGPT share-link malware lure campaign
Campaign
H score47
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
About this happening:
The LLMShare campaign is using Google ads and a legitimate chatgpt.com shared page to route people searching for ChatGPT into a fake OpenAI outage lure that pu...
LLMShare ChatGPT share-link malware lure campaign
CampaignAbout this happening: The LLMShare campaign is using Google ads and a legitimate chatgpt.com shared page to route people searching for ChatGPT into a fake OpenAI outage lure that pu...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian,...
InstallFix Claude Code malvertising campaign
Campaign
H score32
First: 06.03.2026 17:00
Last: 06.03.2026 17:00
Sources 1
About this happening:
InstallFix is being used in an active malvertising operation that pushes cloned Claude Code install pages and malicious CLI instructions, putting users who search for...
InstallFix Claude Code malvertising campaign
CampaignAbout this happening: InstallFix is being used in an active malvertising operation that pushes cloned Claude Code install pages and malicious CLI instructions, putting users who search for...
ChatGPT Mods token-stealing browser-extension campaign
Campaign
H score45
First: 30.01.2026 15:42
Last: 30.01.2026 15:42
Sources 1
About this happening:
The ChatGPT Mods campaign used 16 browser extensions to inject a content script into chatgpt[.]com, stealing authentication tokens that could let operators imperso...
ChatGPT Mods token-stealing browser-extension campaign
CampaignAbout this happening: The ChatGPT Mods campaign used 16 browser extensions to inject a content script into chatgpt[.]com, stealing authentication tokens that could let operators imperso...
Timeline
-
01.06.2026 12:30 2 articles · 1mo ago
Threat actors abuse ChatGPT and Claude features to deliver malware
Initial DisclosureThreat actors are using ChatGPT code-rendering and shared-content features, along with Claude shared chats, to host phishing pages that spoof the brand, lure victims through malicious Google ads and SEO poisoning, and redirect them to fake download flows that can install malware. The pages use conditional rendering so real users see a malicious download prompt while automated scanners see benign content, and one variant disguises a shared chat as a “Claude Code on Mac” installation guide attributed to “Apple Support” with a curl command that downloads and executes malware. Push Security describes the activity as InstallFix attacks, a ClickFix variant, and says infostealer malware is suspected.
Show sources
- Attackers Abuse Shared Content for ChatGPT Phishing Campaign — www.infosecurity-magazine.com — 01.06.2026 12:30
- Attackers Abuse Shared Content for ChatGPT Phishing Campaign — www.infosecurity-magazine.com — 01.06.2026 12:30