- AMOS operators used malvertising and poisoned ChatGPT/Grok conversations to push Mac malware
- Fake “free disk space” guides tricked users into running Terminal commands that installed AMOS
- Campaign abused Google ads and trusted AI platforms, boosting credibility and infection success
AtomicOS (AMOS) criminals are using a combination of malvertising and GenAI response poisoning to trick MacOS users into downloading malware. This is according to cybersecurity researchers Huntress, who claim not only to have observed the attacks in the wild, but to have replicated the same results as other victims, as well.
In a blog post published earlier this week, Huntress said that AMOS maintainers first created two AI conversations: one with ChatGPT, and one with Grok.
These conversations were about freeing up disk space on a MacOS device, and included instructions on how to do it. The instructions are fake, though, and instead tell the user to bring up the Terminal app and type in a command that downloads and runs the AMOS infostealer.
A twist to ClickFix
From there, they purchased ad space on Google in order to promote these conversations. That way, when a user searches something like “how to clear disk space on MacOS”, these poisoned conversations would be displayed at the very top of the search engine results page.
Apparently, the trick worked, because Huntress was brought in to investigate a case of AMOS infections. For those who are unaware, AMOS is an infamous MacOS infostealer, capable of stealing sensitive data, passwords, cryptocurrency wallet information, and more.
The scam works similarly to ClickFix, another technique that tricks victims into running Terminal commands. The only difference is that in this case, the victims are actually proactively searching for a solution to a real problem, rather than to a non-existent one. What makes this campaign more dangerous, is that it abuses not one, but three trusted services - Google’s search engine, ChatGPT, and Grok’s responses.
At the end of the day, both of the conversations are hosted on their respective platforms, increasing the perceived legitimacy of both instructions. It is unclear how AMOS operators managed to get ChatGPT and Grok to display these results, though.
Via Apple Insider
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
