How the LLMShare Campaign Turned ChatGPT Share Links into a Malware Delivery Network

The real innovation here isn't the malware itself—it's the delivery mechanism. By hosting the initial phishing page on a legitimate chatgpt.com URL, attackers bypass both human suspicion and automated URL reputation filters. A user checking the address bar sees chatgpt.com and the familiar padlock icon, creating a powerful trust-by-proxy effect that makes the subsequent redirect to the malicious domain far more effective .

This Campaign Is Part of a Much Larger Problem

The LLMShare campaign didn't emerge in isolation. It's the latest escalation in a pattern that security researchers have been tracking since late 2025, when attackers first discovered they could abuse AI platform sharing features as infection vectors.

In December 2025, Kaspersky researchers uncovered a campaign that used ChatGPT's share feature to distribute the AMOS infostealer to macOS users. Attackers created professional-looking installation guides for a fake 'Atlas browser' and published them as public ChatGPT conversations. Unsuspecting users who followed the guides ended up running terminal commands that installed malware . By early 2026, similar techniques had spread to other AI platforms including DeepSeek, with attackers targeting users searching for everyday troubleshooting topics like how to clear disk space on a Mac .

This trend goes well beyond shared chat abuse. Security researchers documented the first in-the-wild malware families using commercial AI chatbot infrastructure as primary command-and-control channels between July 2025 and February 2026 . At least 16 malicious Chrome extensions masquerading as ChatGPT productivity tools were caught stealing login tokens rather than delivering promised features . Google's Threat Intelligence Group identified malware families like PROMPTFLUX and PROMPTSTEAL that use large language models to dynamically alter behavior mid-execution—what Google calls 'just-in-time AI in malware' .

Even state-linked actors are involved. OpenAI disclosed that it disrupted coordinated operations by groups from Russia, North Korea, and China attempting to use ChatGPT assistance for malware development, phishing campaigns, and influence operations . CrowdStrike's 2025 Threat Hunting Report noted that adversaries are now 'weaponizing AI at scale' to accelerate attacks, steal credentials, and deploy malware .

The Malware Families Behind the Attack

For Windows users caught in the LLMShare campaign, the payload is a conventional credential stealer designed to extract browser-stored passwords, cookies, and authentication tokens. For macOS users, the threat is more complex.

Odyssey Stealer represents an evolutionary branch of macOS infostealers with a tangled lineage. It originated as Poseidon Stealer—a fork of Atomic Stealer (AMOS) that was prominent during 2024 and early 2025—and was later rebranded and upgraded by a threat actor known as 'Rodrigo' or 'Rodrigo4,' who previously worked on the AMOS codebase . The rebranding came with significant technical upgrades aimed at bypassing Apple's security defenses, including obfuscated AppleScript payloads and persistence mechanisms that allow the malware to survive system reboots .

As a Malware-as-a-Service platform, Odyssey operates on an affiliate model where the core developers maintain the malware and command-and-control infrastructure while independent operators rent access in exchange for a cut of the proceeds . The malware specifically targets a wide range of cryptocurrency software—Censys researchers identified that it targets 203 browser wallet extensions, along with desktop cryptocurrency applications .

Red Canary's threat detection data shows Atomic Stealer remained the most popular macOS stealer throughout 2025, with Odyssey Stealer achieving similar prevalence after its Poseidon rebrand and relaunch . Both families consistently rank among the top threats targeting Apple users .

Why Defending Against These Attacks Is Hard

The trust-by-proxy approach that powers LLMShare represents a fundamental challenge for traditional security defenses. The initial landing page is hosted on an OpenAI domain that's both legitimate and widely trusted. URL filtering systems that rely on domain reputation alone will see chatgpt.com and allow the connection. Even more sophisticated tools that inspect page content may see what appears to be an OpenAI-branded service notice and fail to flag it as suspicious .

The attack doesn't use email phishing, malicious attachments, or obvious social engineering—it relies entirely on Google's ad platform to deliver victims to what appears to be an official OpenAI page. By the time the malicious redirect occurs, the user is already operating from a position of trust in the domain they're visiting. Huntress researchers who studied similar campaigns noted that these attacks succeed with just four everyday user actions: search, click, copy, and paste .

For security teams, defense requires a layered approach. Monitoring for suspicious Google ads impersonating popular services, blocking known malicious redirect domains like openew[.]app, and—most importantly—training users to verify the actual content of shared ChatGPT conversations rather than trusting the domain alone are all critical countermeasures . The platform providers themselves face pressure to implement guardrails that prevent abuse of sharing features without breaking legitimate use cases .

The LLMShare campaign represents an inflection point in phishing tactics. By weaponizing the trust that users place in major AI platforms, attackers have found a delivery mechanism that is more effective than traditional phishing emails and harder for conventional defenses to catch. As AI platforms expand and their sharing features become more sophisticated, the attack surface will only grow.