Fake ChatGPT Outage Pages Now Hide Malware on OpenAI’s Domain

Security researchers have found attackers hiding malware behind fake ChatGPT outage pages built on OpenAI’s own web address. The operation, named LLMShare by the firm that found it, uses paid Google search ads to push people toward a chatgpt.com share link that shows a phony “high traffic” notice and a download button for a poisoned desktop app.

What makes the scam work is not clever code. It is the address bar. A link sitting on a domain people already trust does not set off the instincts a sketchy URL would, and that single fact is now feeding a wider wave of attacks across more than one AI platform.

How the Fake ChatGPT Outage Page Works

The trick starts where most people now begin a task, in a search box. Researchers at Push Security, a browser-based identity security firm, traced the campaign to paid Google ads aimed at common queries such as “chatgpt,” “chatgpt free,” and even typos like “chatgo.” You can read the team’s LLMShare malvertising research for the full technical write-up.

Click the ad and you land on a genuine share link, the kind anyone can generate from a chat. Except the shared page does not hold a conversation. It renders a notice claiming the service is swamped and tells you to grab the desktop app to keep working. Here is the chain, start to finish:

1. An attacker buys Google ads on searches for ChatGPT and close misspellings.
2. The ad sends the visitor to a real chatgpt.com/s/ share link.
3. Instead of a chat, the page displays a fake service-disruption notice.
4. The notice instructs the user to download the desktop app to continue.
5. The download button redirects to openew[.]app, a clone of the official download portal.
6. The file that lands installs an information stealer.

Keanu Maharaj, the senior security researcher who documented the campaign, noted the page still carried the model’s own “Show code” and “Remix with ChatGPT” buttons. Those controls give the game away. The outage notice was never a system message, just custom HTML someone asked the model to draw.

Why a Link on chatgpt.com Slips Past Filters

Phishing usually leans on a lookalike domain, a padlock that does not quite match, a URL one letter off. None of that is present here. The poisoned content lives on the legitimate chatgpt.com domain, served over a real certificate, indexed by a real platform.

That is the whole point. When **a link’s host domain looks trustworthy**, both people and many automated tools relax. The lure inherits the platform’s reputation. The notice itself is plain and effective:

We’re experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.

The redirect target adds a second layer of cover. The download site at openew[.]app uses cloaking, showing different content depending on who visits. When scanning tools such as URLScan checked the address, they were served a harmless page for an augmented and virtual reality (AR/VR) company. Real victims got the ChatGPT impersonation instead.

For company security teams the gap is awkward. Web filters that block known-bad domains have nothing to block, because the first hop is a domain most firms explicitly allow. The malicious step only happens after the click, on a host that hides from inspection.

What the Fake Desktop App Installs

The payload depends on the operating system, and both options are built to empty accounts and wallets. A separate teardown by Malwarebytes mapped what each installer does once it runs.

The macOS version hunts for wallet directories tied to Ledger Live, Trezor Suite, Exodus, Electrum and Sparrow, plus loose files ending in .wallet, .seed, .key and .kdbx. The Windows file drops support libraries into a hidden application folder and reaches out to a hard-coded C2 address. At the time of analysis only **9 of 69 antivirus engines** flagged it, which is the kind of head start that lets a campaign run for days before detection catches up.

A Pattern Bigger Than One ChatGPT Scam

Treating this as a ChatGPT problem misses the shape of it. The same method already runs on Anthropic’s Claude platform, where shared conversations posing as “Claude Code on Mac” install guides carry fake “Apple Support” branding and terminal commands that pull down a stealer. The host changes; the trust does not.

The Claude Twin

Push researchers classify these as InstallFix attacks, a relative of the ClickFix family that has spread fast over the past year. ClickFix lures convince users to paste a command into a terminal or run dialog themselves, sidestepping the download warnings that browsers and antivirus tools throw up. Roughly four in five of those attacks now reach victims through search results rather than email.

The defensive market has noticed the shift toward search and shared content as delivery routes. One French startup, MokN, raised funding to flip the script on credential theft, as covered in this look at a phish-back approach to stolen logins. The AI labs themselves are leaning into security pitches too, seen in OpenAI’s Daybreak cyber push against Anthropic.

Cheap Enough to Repeat

The economics explain why it keeps coming back. The whole kit costs less than a mid-range phone, which means a single victim with a funded crypto wallet pays for months of operation.

• $15 a year buys the lookalike download domain.
• $3,000 a month rents the Odyssey Stealer toolkit, paid in crypto.
• Under $100 covers the initial Windows packaging setup.

How to Avoid the Poisoned ChatGPT Download

The fix is mostly habit, not software. Because the attack rides a trusted domain and rotates its download hosts, blocklists lag behind, so the safe move is to control how you reach the app in the first place.

• Skip sponsored search results when you want software, and type the official address yourself.
• Treat any “outage” page that asks you to install something as a warning sign; real services do not push downloads when they are busy.
• Install desktop apps only from the vendor’s own site or an official app store. The genuine client lives on OpenAI’s official ChatGPT download page.
• Be suspicious of shared ChatGPT or Claude links that show download buttons or ask you to run terminal commands, since that content is user-created, not platform messaging.

Account hygiene helps if something does slip through, and OpenAI has rolled out tighter controls covered in this piece on a lockdown mode for high-risk ChatGPT accounts. For now, neither OpenAI nor Anthropic has published specific steps to stop their sharing features from being abused this way, so the burden of caution still sits with the person at the keyboard.

Frequently Asked Questions

Is the ChatGPT desktop app safe to download?

Yes, when you get it from the source. The official client is offered through OpenAI’s own website and the major app stores. The danger is only with copies offered through search ads, pop-up “outage” notices, or shared links that redirect you to a third-party site such as openew[.]app.

How can I tell a ChatGPT share link is fake?

A genuine share link shows a saved conversation, not a service notice. If a page on chatgpt.com tells you the site is down and offers a download, look for the “Show code” and “Remix with ChatGPT” controls; those reveal the page is user-generated HTML, not an official message from OpenAI.

Does ChatGPT ever show a download page during an outage?

No. Legitimate services do not redirect users to software downloads when they are overloaded. A real outage simply shows an error or a status message, so any “download our app to continue” prompt during a claimed outage should be treated as hostile.

What is Odyssey Stealer?

Odyssey Stealer is the macOS payload in this campaign, a fork of the well-known Atomic macOS Stealer (AMOS). It harvests keychain passwords, browser-saved credentials, Telegram session data, and cryptocurrency wallet files, and it even tries to replace legitimate wallet apps with trojanized versions.

I already clicked the download. What should I do?

Run a full scan with a reputable security tool, then change passwords from a clean device, starting with email, banking, and any crypto exchange. If you hold cryptocurrency, move funds to a new wallet with a fresh seed phrase, because the stealer specifically targets wallet files and saved seeds.

Are Mac users affected, or just Windows?

Both. The fake download site serves a Windows credential-stealing loader to PC visitors and Odyssey Stealer to Mac visitors, so neither platform is a safe assumption here.