Updated June 2026: This post has been updated to include a new escalation of this attack — the "LLMShare" campaign — where attackers now use ChatGPT's own rendering capabilities to display a convincing fake outage page, tricking users into downloading malware disguised as the ChatGPT desktop app. Windows users are now targets too. Jump to the new section →
Google Ads scams aren't new — in fact, you can read our previous post about dangerous sponsored links in our article on How Scammers Use Sponsored Links. However, attackers have recently adopted a clever new twist that we think you should know about — and since we first published this post, that twist has evolved further still. Cybercriminals have been buying Google Ads that promote seemingly helpful AI answers to technical questions, leading users to real ChatGPT or Grok conversations hosted on legitimate platforms. But instead of offering safe troubleshooting advice, these attacks have now expanded beyond poisoned chat instructions to include entire fake web pages rendered inside legitimate ChatGPT links — designed to trick users into downloading malware disguised as the ChatGPT desktop app. Both Macs and Windows PCs are now in the crosshairs.
Reports from Huntress and Kaspersky point to a surge in sponsored ads targeting macOS users searching for routine help online. Now a new report from Push Security expands this technique to all Google search users looking for ChatGPT. For many businesses, this represents a major blind spot because staff often:
- believe Macs are immune to malware
- assume Google Ads are vetted and safe
- trust AI-generated answers more than ever
This blog breaks down what’s happening, why these attacks are suddenly so effective, and what practical steps businesses can take to protect themselves.
What’s Actually Happening: A Step-by-Step Look at the Scam
To understand why this attack is so effective, it helps to walk through how a victim typically encounters it. The flow feels completely normal — nothing about it looks suspicious, and that’s exactly why it works.
Step One: The user searches Google for help.
A staff member runs into a routine issue — “How do I clear system data on a Mac?” or “How to clear storage on a Mac”. They do what millions of people now do every day: turn to Google for a quick fix.
Step Two: A deceptive sponsored link appears at the top.
Google displays a paid ad promoting what looks like a helpful AI answer. The link points to a ChatGPT or Grok conversation, hosted on the real platform. Because it’s a sponsored result, it appears above all organic search responses and carries an implicit sense of legitimacy.
Step Three: The user lands on a real ChatGPT or Grok “shared chat.”
Shared chats are simply public links to AI-generated answers. Anyone can create them, and anyone can view them. The page looks identical to a normal AI response — friendly tone, clear explanations, step-by-step guidance.
Step Four: The AI chat instructions include a malicious Terminal command.
The instructions walk the user through typical troubleshooting steps. But buried among them is a command presented as harmless maintenance or cleanup. It sounds authoritative, and to someone without IT expertise, it appears completely routine.
Step Five: The user copies and pastes the command.
Believing they’re following safe advice from ChatGPT or Grok — surfaced by Google, no less — the user runs the command in Terminal. This single action silently downloads and installs Atomic Stealer (AMOS), a macOS infostealer capable of grabbing passwords, tokens, iCloud Keychain items, crypto wallets, and more.
Step Six: The malware runs with no warnings and no obvious red flags.
Because the user initiated the command, macOS sees it as intentional. There are no pop-ups, no blocked downloads, no security prompts. To the user, nothing appears out of the ordinary.
This step-by-step process highlights why the scam is so deceptive: every part of it looks and feels legitimate. Users trust Google. They trust AI platforms. They trust neatly formatted instructions. And attackers are exploiting that trust at every stage.
What Are “Shared Chats”? (And Why Attackers Are Using Them)
To understand why this scam works so well, it helps to know what a “shared chat” actually is. ChatGPT and Grok both include a simple feature that lets users share an AI conversation with others. Think of it like this:
Let’s say you ask ChatGPT a question and it gives you a really helpful answer — something you’d love to pass along to your family, coworkers, or anyone who might benefit. All you have to do is click “Share” in the top right corner. ChatGPT then generates a public link that anyone can open, even if they don’t have an account. It shows the conversation exactly as you saw it.
Most people use this feature for perfectly harmless reasons: sharing troubleshooting steps, recipes, coding snippets, travel plans, or prompt ideas. These links are hosted on real, trustworthy ChatGPT or Grok domains, which makes them look completely legitimate.
Attackers have figured out how powerful this is. They’re crafting malicious AI conversations and sharing them publicly. Then, they promote the shared links through Google Ads so the poisoned chat appears right at the top of people’s search results. Users click the link, see a real AI conversation on a legitimate platform, and logically assume the advice is safe.
The Attack Has Evolved: From Poisoned Advice to Fake Outage Pages
Since we first wrote about poisoned AI chats, attackers have raised the bar significantly. The original attack hid malicious Terminal commands inside a ChatGPT conversation. The newest variant, dubbed the "LLMShare" campaign by security researchers at Push Security, goes a step further — using ChatGPT's own built-in rendering capabilities to display what looks like an entirely separate, professional-looking webpage.
Here's how this upgraded version of the attack plays out:
Step One: The user clicks a Google Ad for ChatGPT.
Just like before, a paid ad appears at the top of search results. It looks legitimate — because the link genuinely does go to chatgpt.com.
Step Two: Instead of a chat conversation, the user sees a fake "outage" notice.
Rather than showing a shared chat thread, the page displays a polished error message that reads: "We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue."
This isn't a separate scam website. It's a custom HTML page that attackers built using ChatGPT's own content-rendering capabilities and published via a legitimate chatgpt.com/s/ shared link. The URL is real. The domain is real. The page is not.
Source: Bleeping Computer
Step Three: The user clicks "Download" and installs malware.
The download button leads to a convincing fake OpenAI download portal — offering both a macOS and a Windows version of what appears to be the "ChatGPT desktop app." Both versions install an infostealer capable of harvesting passwords, credentials, and sensitive data from the device.
The site even uses cloaking — showing a completely harmless website to security scanners while only displaying the malicious content to real potential victims.
Why This Escalation Matters
The original attack required victims to manually type or paste a command into their Terminal — an action that, with the right training, a cautious user might pause and question. This new variant removes that friction entirely. It just looks like a routine software download from a trusted platform.
Claude Artifacts is now being abused too. Push Security also found attackers exploiting Claude's "Artifacts" feature — Anthropic's tool for sharing rendered apps and content — to host similar ClickFix-style lures that trick users into executing malicious commands. This isn't a ChatGPT-only problem anymore. Attackers are actively scanning AI platforms for any feature that lets them publish content under a trusted domain.
Why This Scam Works So Well
What makes this campaign so effective is how completely ordinary the user experience feels. At no point does anything feel unsafe.
Huntress captured this perfectly in their analysis, noting that the victim “believed they were following advice from a trusted AI assistant, delivered through a legitimate platform, surfaced by a search engine they use every day.”
A few key dynamics make this attack particularly convincing:
- People trust top Google results.
Sponsored results feel safe, authentic, and “pre-approved” which creates a false sense of safety before the user even clicks. - AI-generated answers look authoritative by design.
The tone, format, and structure of AI troubleshooting steps mimic professional documentation. Many people have previously found success following such advice in their own personal AI chats. - Shared chats live on legitimate domains.
This isn’t a fake website. The URL really does belong to ChatGPT or Grok. As Huntress points out, “the platform is legitimate — the content is not.” Users instinctively trust what they see because everything around the malicious instruction appears genuine. - AI platforms can now render full web pages — not just text.
The newest variant of this attack doesn't just rely on a chat conversation looking trustworthy. Attackers are using ChatGPT's built-in HTML rendering to publish what looks like a completely separate webpage — a fake outage notice — all under a realchatgpt.comURL. There is no obvious visual cue to suggest anything is wrong. The page looks like a product notice, not a conversation. - Terminal commands sound normal to non-technical users.
Modern macOS troubleshooting articles routinely include command-line steps, so a harmful command doesn’t stand out. Kaspersky noted that victims “executed the command believing it to be a safe system cleanup step,” not realizing it was installing malware. - Mac users may underestimate their risk.
There is still a widespread belief that “Macs don’t get viruses,” which lowers suspicion even further.
What connects every version of this attack — from poisoned chat instructions to fake outage pages — is that nothing about the experience feels unsafe. The URL is real. The platform is real. The branding is real. Attackers aren't breaking through your defenses; they're getting you to walk through their front door voluntarily to either ask for help or download their tainted product. That's what makes this category of threat so difficult to address with technology alone, and why raising awareness through cyber education is vital for organizations.
What This Means for Businesses
For businesses, these attacks expose two gaps that most organizations haven't fully closed.
The first is the support gap. When IT support feels slow or inaccessible, staff troubleshoot on their own — Googling solutions and following whatever appears at the top of the results. This is a lot like diagnosing a medical condition through a search engine instead of consulting a doctor. It's quick, but we know it isn't a safe way to take care of our health. In fact, it could be very harmful especially when our symptoms could have a wide range of causes and treatments.
The second is the AI access gap. If your organization hasn't provided a managed AI solution, employees will search for free consumer tools through Google instead. That search is now being actively exploited. It doesn't require a frustrated employee trying to fix their computer — it just requires someone doing their job.
If your staff are solving IT problems on their own or searching for AI tools online — and most are doing both — your business is already exposed. The good news is that both gaps are addressable, and the next section explains how.
How Businesses Can Protect Themselves
1) Make the safest option also the easiest one by offering fast, friendly IT support.
If reaching out to IT feels slow or complicated, employees will turn to Google or AI instead — and that’s exactly where attackers are waiting. A responsive IT partner changes this dynamic entirely. With Managed IT Services, submitting a helpdesk ticket becomes the fastest, simplest way to get help. Staff stop troubleshooting on their own and avoid risky “copy this command” fixes altogether.
2) Give your team access to secure, business-grade AI tools.
If employees have a trusted, IT-managed AI solution already at their fingertips, they have no reason to search for a free consumer version through Google — and no reason to click whatever sponsored link appears at the top of the results. Closing the AI access gap is now a practical cybersecurity measure, not just a productivity decision.
3) Make cybersecurity awareness training simple and accessible.
Regular, easy-to-digest training helps staff recognize red flags and confidently ask for help before acting. The right IT partner makes this training seamless to deliver, always current with emerging threats, and immediately practical for employees.
4) Protect every device — including Macs — with real security tools.
Every device in your organization needs monitoring, detection, and endpoint protection — regardless of operating system. We all know that Windows computers need protection, and the idea that "Macs don't get viruses" is certainly a myth worth correcting. A skilled IT partner ensures every device in your environment is treated with the appropriate level of security.
Conclusion
This evolving wave of Google Ads scams is a clear reminder that cyber threats don't stay still — they adapt. What began as poisoned chat instructions has grown into full fake web pages rendered on legitimate AI domains, complete with convincing download buttons, platform branding, and cross-platform malware for both Mac and Windows users. Your staff aren't doing anything unusual — they're simply searching for answers, trusting AI-generated content, and trying to fix problems so they can get back to work. Attackers are counting on exactly that.
By weaponizing legitimate platforms like ChatGPT, Claude, and Grok, and promoting poisoned conversations through Google Ads, cybercriminals have created a delivery method that feels safe from start to finish. The best defence isn’t fear — it’s creating an environment where employees never feel the need to troubleshoot alone, where they have quick access to help, where training is ongoing, and where every device (Macs included) is properly protected.
Make the “safest option also the easiest one” for your team — we can help.
Book a free Cybersecurity Assessment with allCare IT, and let’s make sure your organization is protected from the threats hiding in today’s search results and AI tools.