Kaspersky has identified a fresh malware campaign impacting macOS user accounts by using paid ads for Google searches and shared conversations available on the official ChatGPT Website. The campaign distributes AMOS, a potent stealer for macOS, with a persistent backdoor that provides continuous access to infected systems.
Kaspersky explains that attackers are purchasing promoted search ads linking keywords such as ChatGPT Atlas, which leads to a page that appears to be an installation guide for ChatGPT Atlas for macOS. The page is hosted on chatgpt.com, and it is supposedly a shared conversation among the users of ChatGPT, which gives it a sense that it is authentic.
The ‘guide’ states that the user needs to copy a line of code, open a ‘Terminal app’ on a ‘macOS device,’ and agree to all the requested permissions by pasting the copied command into the app. In reality, the command executed by the victim fetches the malicious script hosted externally, via the domain ‘atlas-extension[.]com.’
As seen in Kaspersky’s assessment, this malware repeatedly prods users for their system password, which it then verifies by attempting system-level commands. When users enter their correct password, this malicious practice uses these credentials to download and install the AMOS infostealer malware. This malware is a ‘ClickFix’ spawn, which functions by deceiving users into executing malicious system commands manually.
After installation, it collects passwords, cookies from major browsers, data from crypto wallets like Electrum, Coinomi, and Exodus wallets, as well as data from applications such as Telegram Desktop and OpenVPN Connect. Additionally, it searches for TXT, PDF, and DOCX format files in popular folders as well as notes from the macOS Notes app.
Also Read: Crypto Users Targeted as Fake Zoom Malware Campaign Drains $300 Million
Another malware component installed on the victim’s device is a backdoor that survives system restarts. Kaspersky explained that infostealers are one of the quickest-growing malware threats in 2025, with cybercriminals resorting to AI-themed lures to seem credible.
The company asked users not to execute unsolicited Terminal commands and to maintain up-to-date security software on their macOS environments.