AI chatbot sharing features are useful. They let someone publish a conversation, code output, or explanation and send it to another person with a simple link. The page is hosted on a familiar domain, which makes it feel safe.
Attackers have noticed that trust.
A recent campaign reported by Push Security describes a technique they call LLMShare, where attackers abuse shared content features on AI chatbot platforms to deliver malware through pages hosted on legitimate domains. Instead of relying only on fake websites, the attacker first places the victim on a real AI platform page, such as a shared ChatGPT or Claude page, and then uses that trusted environment to move the user toward a malicious download or dangerous command.
The idea is simple but effective: make the first page look trustworthy, then use social engineering to push the victim into doing something risky.
How the Attack Works
The campaign starts with search advertising. A person searches for an AI tool, desktop app, or installation help. A sponsored result appears near the top of the page. The visible destination may look legitimate because it points to a real AI platform domain.
After clicking, the user lands on shared AI-hosted content. That content may look like a help article, an installation guide, a support message, or even a fake service disruption notice. In Push Security's report, one variant used a ChatGPT-hosted page that appeared to tell users the web service was unavailable because of high traffic, then encouraged them to download a desktop app instead.
From there, the user is redirected to a fake download page. The site may copy the branding, layout, and wording of a real product page. The goal is to make the victim believe they are installing a legitimate AI desktop application.
This is not the first time attackers have used this pattern. BleepingComputer reported a similar campaign where Google Ads and Claude shared chats were abused to push Mac malware through fake setup instructions. Kaspersky also reported a campaign where malicious actors used ChatGPT's sharing feature to host fake installation guidance that led users toward macOS infostealer malware.
Why This Is Different From a Normal Phishing Page
Traditional phishing often depends on lookalike domains. A fake site might swap letters, add hyphens, or use a misleading top-level domain. Users and security tools are trained to look for that.
This technique is more subtle because the first page can be hosted on a real, trusted domain. A user may see a familiar address and lower their guard. A security tool that relies heavily on domain reputation may also treat the page as less suspicious.
That does not mean the AI platform itself is malicious. The abuse comes from attackers using public sharing features in ways they were not intended to be used. The same problem has appeared before on other trusted platforms: cloud storage, document-sharing services, developer platforms, and collaboration tools have all been abused to host or stage malicious content.
The difference here is the timing. AI tools are widely used, users are still learning what normal AI workflows look like, and many people already expect AI tools to generate instructions, code, or setup steps. That makes malicious instructions easier to disguise.
The Social Engineering Angle
The most dangerous part of this attack is not technical. It is psychological.
The attacker creates a situation where the victim believes they are solving a normal problem. They searched for a tool. They clicked what looked like a legitimate result. They landed on a trusted domain. They saw instructions that looked professional. They were told to install an app or run a command.
Each step feels small. Together, they create enough trust for the victim to take an action they would normally avoid.
This is especially risky when the page tells users to paste commands into Terminal, PowerShell, or another command-line tool. Many users do not fully understand what those commands do. If the instructions appear inside a polished AI-generated page, they may feel even more credible.
What Users Should Learn From This
The main lesson is that a trusted domain does not automatically mean trusted content.
A page can be hosted on a legitimate service and still contain harmful instructions, misleading links, or attacker-controlled content. This is especially true for platforms that allow public sharing.
Users should be cautious when a shared AI page asks them to download software, install a desktop app, run a command, disable a security warning, or follow urgent instructions. Real software vendors generally do not require users to paste random commands from a shared chatbot page to install mainstream applications.
The safer approach is to go directly to the official website by typing the address yourself, using a trusted bookmark, or downloading from a verified app store. Sponsored search results should be treated carefully, especially for software downloads.
Guidance for Defenders
For defenders, this campaign is a reminder that domain reputation alone is not enough. Blocking only newly registered domains or obvious typosquats will miss attacks that begin on legitimate platforms.
Defensive controls should focus on behavior and context. Useful signals include:
| Signal | Why It Matters |
|---|---|
| Sponsored search traffic landing on shared AI pages | Identifies the entry point of the chain |
| Shared AI pages redirecting to software download sites | The handoff from trusted to untrusted |
| Pages instructing users to run shell or PowerShell commands | High-risk instruction pattern |
| Downloads following from AI-hosted shared content | Connects the trusted lure to the payload |
| Newly seen installer files claiming to be popular AI apps | Detects brand-abusing payloads |
| Trusted domain handing off quickly to unrelated download domain | The key gap in the chain |
Security teams should also review whether their secure web gateway, browser security tooling, EDR, and DNS controls can see the full redirect chain. If a control only logs the first trusted domain or only the final download site, analysts may miss the connection between the two.
Another useful control is user-facing warning logic. If a user reaches a shared AI page from an ad and the page then attempts to redirect to a download, that is worth treating differently from a normal user visiting an official vendor page.
Guidance for Threat Hunters
Threat hunters can look for patterns rather than static indicators.
A good starting point is browser telemetry. Search for visits to shared AI pages followed by downloads, command execution, or redirects to unfamiliar domains. The key is the sequence of events, not one domain or one file hash.
| Hunting Signal | What to Look For |
|---|---|
| Shared chatbot URLs before executable downloads | Browser-to-download sequence |
| Sponsored search referrers | Entry point via paid ad |
| AI-branded installers from non-official domains | Brand-abusing payload delivery |
| Terminal or shell execution after AI page visits | Browser-to-execution chain |
| Clipboard activity with long shell commands | Copy-paste attack path |
| AI-named processes launching network utilities | Post-execution behavior |
For macOS environments, pay close attention to flows where a browser leads to Terminal instructions, script execution, or unsigned application launches. For Windows environments, watch for PowerShell, mshta, wscript, rundll32, or other living-off-the-land binaries launched soon after a browser download.
Detection Engineering Ideas
Detection logic should avoid depending only on fixed IoCs. The infrastructure can change quickly.
Better detection opportunities include:
| Detection Idea | Rationale |
|---|---|
| Shared AI URL followed by file download within a short window | Connects lure to payload |
| Shared AI URL followed by command-line execution | Browser-to-shell chain |
| AI product names in downloaded filenames from non-vendor domains | Brand impersonation |
| Browser-to-script execution chains | Living-off-the-land indicator |
| Search-ad referrers followed by software installation | Full attack chain visible |
| First-seen download domains serving AI-branded files | Infrastructure novelty |
| Users copying command-like text from browser then executing locally | Copy-paste attack |
None of these signals are perfect by themselves. Together, they can produce higher-confidence alerts.
Defenders should also consider adding awareness rules or browser warnings for shared AI pages that contain software installation instructions. Many of these pages may be harmless, but the combination of "shared AI page plus install instructions plus external download" deserves extra scrutiny.
Why This Will Keep Happening
Attackers follow trust. When users trusted email attachments, attackers abused email. When users trusted cloud documents, attackers abused document sharing. Now that users trust AI-generated pages and shared chatbot conversations, attackers are adapting again.
This campaign shows how public AI features can become part of an attack chain without the attacker needing to compromise the AI provider. They only need to create convincing content, publish it through a trusted sharing feature, and drive traffic to it.
That makes this less of a one-off trick and more of a pattern defenders should expect to see again.
Sources: - Push Security — LLMShare: Malvertising campaign abusing AI chat sharing features