← Back to Daily Briefing

Threat actors are leveraging the ChatGPT "shared chat" feature to execute a sophisticated phishing campaign that bypasses corporate security infrastructure. By hosting fraudulent service outage notifications on the trusted chatgpt.com/share/ domain, attackers utilize domain reputation hijacking to circumvent Secure Web Gateways (SWG) and URL filters. The campaign redirects targets to download malicious, fake ChatGPT desktop applications for Windows (.exe) and macOS (.dmg/.pkg). These payloads deliver infostealer malware designed to exfiltrate browser cookies, session tokens, and sensitive system credentials, posing a critical risk of account takeover (ATO) and large-scale corporate data exfiltration.

  • Campaign Overview: Domain Reputation Hijacking
    • Exploits the chatgpt.com/share/ URL pattern to host malicious social engineering content.
    • Leverages the high-trust status of the OpenAI domain to bypass Secure Web Gateways (SWG).
    • Circumvents standard corporate URL filtering by utilizing legitimate, whitelisted LLM infrastructure.
  • Attack Mechanics: The Fake Outage Lure
    • Uses fraudulent "OpenAI service outage" notifications to manipulate user behavior.
    • Redirects users to install a fake "desktop client" to "resolve" perceived service issues.
    • Shifts the threat vector from traditional credential harvesting to direct malware deployment.
  • Payload Analysis: Cross-Platform Infostealers
    • Distributes malicious installers disguised as official software (.exe for Windows; .dmg/.pkg for macOS).
    • Employs infostealer payloads to quietly harvest sensitive local data.
    • Targets high-value assets including session tokens, browser cookies, and system passwords.
  • Impact and Risk Assessment
    • High risk of Account Takeover (ATO) via stolen session and authentication tokens.
    • Potential for significant corporate data breaches following initial system compromise.
    • Broad impact across both Windows and macOS corporate environments.
  • Defensive Recommendations
    • Monitor for atypical or excessive usage of shared conversation links within internal network traffic.
    • Enforce strict application whitelisting/control to prevent unauthorized desktop software installation.
    • Utilize robust MFA and session management to mitigate the utility of stolen session tokens.

Related posts

  1. Malwarebytes
  2. bleepingcomputer.com — ChatGPT share links abused to host fake outage pages to deliver malware
  3. gbhackers.com — Phishing Attacks Pivot to Infostealer Malware Over Fake Login Pages
  4. Pushsecurity
  5. Scworld
  6. Reddit
  7. Cisoseries
  8. Techechelon
  9. Threatlocker
  10. Techtimes
  11. Securityboulevard
  12. Trolleyesecurity

LINK COPIED TO CLIPBOARD