Posted in

AI Trust Exploited in macOS AMOS Stealer Campaign

by Rakesh0

Researchers at Huntress have uncovered a highly advanced macOS attack that leverages trusted AI platforms like ChatGPT and Grok to distribute the Atomic macOS Stealer (AMOS). This campaign, detected in December 2025, represents a dangerous evolution in social engineering and malware delivery.

How the Attack Works

Threat actors use malicious SEO techniques to push poisoned AI-generated conversations to the top of Google search results. When users search for queries like:

  • “Clear disk space on macOS”
  • “Free up storage on iMac”

They encounter what appear to be legitimate ChatGPT or Grok pages hosted on official domains (chatgpt.com, grok.com). These pages provide step-by-step troubleshooting guides with formatted commands and reassuring language, convincing users the instructions are safe.

However, the Terminal commands include base64-encoded payloads that silently download and execute the AMOS loader. No files are visibly downloaded, no alerts are triggered, and macOS Gatekeeper is bypassed entirely.

Credential Theft and Persistence

Once executed, the malicious script:

  • Prompts for the system password under the guise of authentication.
  • Validates and stores the password in a hidden .pass file.
  • Uses sudo -S for privilege escalation without further user interaction.
  • Installs a hidden Mach-O binary named .helper in the home directory.
  • Deploys a LaunchDaemon and AppleScript watchdog for persistence.

The stealer then exfiltrates:

  • Passwords and browser data
  • Cryptocurrency wallets
  • macOS Keychain credentials

Data is sent to remote servers at 45.94.47.186 and sanchang.org. In some cases, legitimate wallet apps like Ledger Wallet and Trezor Suite are replaced with trojanized versions to capture seed phrases.

Why This Attack Is Different

Unlike traditional exploits, this campaign does not rely on software vulnerabilities. Instead, it weaponizes psychological trust in AI platforms and search engine rankings, creating an infection flow that feels authentic and safe.

This marks a significant evolution from earlier ClickFix-style attacks, merging social engineering with AI trust exploitation.

How to Stay Safe

  • Never run Terminal commands from unverified sources.
  • Avoid copying commands from AI-generated pages without validation.
  • Use endpoint protection and monitor for suspicious LaunchDaemons.
  • Regularly audit installed applications and system processes.
Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *