For years, the cybersecurity industry has trained users and organisations to distrust unknown domains, suspicious senders and unrecognised links. The logic was straightforward: if a domain appears legitimate, the risk is lower. The LLMShare campaign, discovered by researchers at Push Security in late May 2026, demonstrates that this assumption is no longer sufficient, and that attackers have known it for some time.
What is LLMShare and why does it matter now?
LLMShare is an active malvertising campaign that exploits ChatGPT’s content-sharing functionality to distribute malware through a domain that neither corporate filters nor any reasonable user would consider dangerous: chatgpt.com.
The mechanism is as ingenious as it is concerning. ChatGPT allows users to share conversations through public links hosted under the chatgpt.com/s/ subdomain. What Push Security researchers documented is that threat actors are exploiting the HTML rendering capabilities of this same feature to inject fully customised web pages into those shared links, pages that, from the visitor’s perspective, appear to originate directly from OpenAI.
The practical outcome is that when a user clicks one of these links, they do not see a ChatGPT conversation. Instead, they see a carefully crafted service interruption page stating that the web version is temporarily unavailable due to excessive traffic and that the solution is to download the desktop application. The executable that is downloaded, naturally, has nothing to do with ChatGPT.
The role of Google Ads as an amplifier
What distinguishes LLMShare from similar campaigns is its efficiency during the delivery phase. The attackers do not rely on phishing emails or newly registered domains. Instead, they purchase sponsored advertisements on Google targeting high-volume search terms such as “ChatGPT”, “ChatGPT desktop app” or “ChatGPT download”.
The user performs the search and sees a sponsored result at the top of the page. They click. They are taken to a legitimate chatgpt.com URL. The domain passes every reputation check. The SSL certificate is valid. There is no redirection to a third-party domain. Everything appears legitimate until the user has already downloaded the malicious file.
This attack chain systematically removes every warning sign that a user or an automated security tool might otherwise detect. Further analysis by the researchers revealed that the download infrastructure also employs conditional rendering techniques: when automated scanners such as URLScan visit the payload URL, they are redirected to a completely harmless page. Only genuine users browsing through a conventional browser see the malicious content. This deliberate evasion significantly complicates detection and analysis by threat intelligence teams.
A tactical evolution, not an anomaly
It would be a mistake to treat LLMShare as an isolated incident. Push Security has documented three major campaigns based on the abuse of artificial intelligence platforms during 2026 alone. The first exploited prompt injection to conduct phishing through ChatGPT. The second demonstrated how an attacker could exfiltrate data by leveraging ChatGPT’s network connectivity capabilities. LLMShare represents the third pattern: using the AI platform directly as hosting infrastructure for a traditional malvertising operation.
The underlying trend is clear. Attackers have identified that generative AI platforms enjoy a level of institutional trust that very few internet domains can match. Users trust OpenAI. IT teams add chatgpt.com to their allowlists. Proxy filters do not block the domain because doing so would disrupt legitimate business operations. That trust is precisely the asset that LLMShare monetises.
It is worth noting that this abuse is not limited to ChatGPT. The same researchers documented instances where Anthropic’s Claude Artifacts functionality was used to host ClickFix-style lures designed to trick users into executing malicious commands within their terminal. The attack surface is effectively any AI platform that permits the sharing of rendered content.
The implications for Australian organisations
For businesses that have integrated generative AI tools into their workflows, and in Australia that number grows week by week, LLMShare introduces a risk that traditional security controls are not configured to intercept.
Corporate firewalls and web proxies operating through domain allowlists will not detect this threat. There is no malicious domain to block because the domain itself is legitimate. URL filtering systems that evaluate domain reputation will reach the same conclusion: chatgpt.com is trustworthy. Malware may reach an employee’s endpoint without triggering a single alert within the perimeter infrastructure.
This requires a reassessment of trust on two levels. First, at the technical level: security teams should implement specific detections for executable downloads originating from references to chatgpt.com or similar AI domains, given that ChatGPT does not distribute software installers through its shared-content URLs. Any download claiming otherwise should be treated as suspicious by default. Second, at the human level: security awareness training must be updated to reflect that a trusted domain does not guarantee that the content hosted within it is safe.
What organisations can do today
Responding to LLMShare does not require extraordinary investment, but it does require revisiting several operational assumptions.
First, review policies relating to sponsored search engine results. The campaign relies on employees clicking Google advertisements rather than navigating directly to official websites. Including this attack vector within existing awareness programmes can materially reduce exposure.
Second, apply behavioural inspection at the endpoint regardless of the originating domain. Endpoint detection and response solutions that evaluate the behaviour of downloaded executables can identify threats even when the delivery vector originates from an apparently legitimate domain. Robust data and network protection measures add a further layer of defence at this stage.
Third, review policies governing the use of shared AI content. If employees regularly access shared ChatGPT content from external sources, it is worth establishing that such content be opened within isolated environments or browsers with enhanced controls, particularly when it includes instructions involving downloads or software installation.
Finally, consider reviewing the organisation’s security posture towards AI platforms as part of broader third-party risk assessments. The rapid adoption of these tools has often occurred without security teams having sufficient opportunity to evaluate the risks associated with their use in corporate environments.
Trust as an attack surface
LLMShare is representative of a broader trend that threat analysts have been documenting for several quarters: attackers have stopped competing with corporate security infrastructure on the battleground of malicious domains and have instead chosen to operate directly from platforms that infrastructure inherently trusts. Microsoft SharePoint, Google Drive, Dropbox and now chatgpt.com: the logic is the same in every case.
For organisations that take their cybersecurity posture seriously, the answer cannot simply be to block these platforms, doing so would create unacceptable operational friction and would not solve the underlying structural problem. The response must be more sophisticated: content behaviour inspection regardless of origin, continuous training focused on the tactics attackers actually use, and a detection architecture that does not rely exclusively on domain reputation as an indicator of risk.
At Asta, we work with organisations to build precisely that kind of security posture: one that does not assume a recognised domain equates to safe content and is prepared to detect threats that operate by exploiting that very assumption. If your organisation would like to assess its exposure to emerging attack vectors such as LLMShare, our team is available to begin that conversation.
About Our Mission in the Digital Space
Asta is a leading full-service technology and consulting agency. We are trusted industry leaders committed to advancing businesses through powerful IT solutions. Yet beyond our expertise in software, web and mobile application development, our fit-for-purpose managed IT services, and our groundbreaking AI and blockchain technologies — there is something more.
At the core of everything we do is our relentless commitment to people.
Contact and Social Media
Get in touch with us through our available social channels, and one of our specialist advisers will contact you to answer any questions you may have: