AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat
The AMOS stealer malware campaign exploits user trust in AI platforms by using SEO poisoning to present malicious ChatGPT and Grok conversations with Terminal commands that deploy the malware on macOS systems. AMOS is a multi-stage stealer that harvests credentials, escalates privileges, and establishes persistence, targeting cryptocurrency wallets, browser data, and system information. This attack bypasses traditional security defenses by leveraging legitimate AI platforms and user behavior, representing an advanced social engineering technique. The campaign is particularly dangerous due to its use of AI-trusted sources and the execution of commands that users may perceive as safe. No authentication or prior compromise is required, and user interaction (executing Terminal commands) is necessary. The threat is medium severity but has potential for significant data loss and system compromise. Indicators include specific file hashes, IP addresses, domains, and URLs linked to the malware infrastructure. European organizations using macOS and relying on AI assistants for technical guidance are at risk, especially those with cryptocurrency assets or sensitive browser data. Mitigation requires user education, strict command execution policies, and enhanced monitoring of AI-sourced advice and terminal command usage.
AI Analysis
Technical Summary
This threat involves a sophisticated malware campaign named AMOS stealer that targets macOS users by exploiting the growing trust in AI platforms such as ChatGPT and Grok. Attackers manipulate search engine results (SEO poisoning) to surface malicious AI-generated conversations that appear to offer legitimate macOS disk cleanup advice. These conversations contain Terminal commands that, when copied and executed by users, deploy the AMOS malware. AMOS operates in multiple stages: it initially harvests credentials from the infected system, escalates privileges to gain deeper system access, and establishes persistence to maintain long-term control. The malware specifically targets cryptocurrency wallets, browser-stored data, and system information, exfiltrating this sensitive data to attacker-controlled servers. By leveraging legitimate AI platforms and user trust, the campaign bypasses traditional security controls such as antivirus and endpoint detection systems, which may not flag the AI-generated content or the legitimate-looking commands. The attack requires user interaction—executing the provided Terminal commands—but does not require prior system compromise or authentication. Indicators of compromise include several file hashes, IP addresses (e.g., 45.94.47.186, 45.94.47.205), domains (sanchang.org, wbehub.org), and URLs (http://putuartana.com/cleangpt) associated with the malware delivery infrastructure. This campaign represents an evolution in social engineering by weaponizing AI-generated content and user reliance on AI for technical guidance, making it a unique and insidious threat to macOS users.
Potential Impact
For European organizations, the AMOS stealer campaign poses a significant risk particularly to those with macOS endpoints and users who rely on AI assistants for technical support or troubleshooting. The malware’s ability to harvest credentials and browser data can lead to unauthorized access to corporate accounts, email, and internal systems. Its targeting of cryptocurrency wallets is critical for organizations or individuals involved in digital asset management, potentially resulting in financial theft. Privilege escalation and persistence mechanisms allow attackers to maintain long-term access, increasing the risk of further lateral movement and data exfiltration. The campaign’s reliance on user execution of Terminal commands means that employees unaware of the threat may inadvertently compromise their systems. The use of legitimate AI platforms to deliver malicious content complicates detection and response, potentially delaying incident identification. This threat could disrupt business operations, lead to data breaches, and cause reputational damage. Additionally, the campaign’s novel social engineering approach may inspire similar attacks targeting other platforms or operating systems, increasing the overall threat landscape in Europe.
Mitigation Recommendations
1. Implement strict user education programs emphasizing the risks of executing unverified Terminal commands, especially those sourced from AI platforms or online forums. 2. Deploy endpoint security solutions with behavioral detection capabilities that can identify suspicious privilege escalation and persistence activities on macOS. 3. Monitor network traffic for communications with known malicious IPs and domains associated with AMOS (e.g., 45.94.47.186, sanchang.org). 4. Restrict or audit the use of Terminal commands on corporate macOS devices through application control or endpoint management policies. 5. Encourage users to verify AI-generated technical advice through official or trusted IT support channels before execution. 6. Use multi-factor authentication and strong credential management to limit the impact of credential theft. 7. Regularly update macOS and security tools to ensure the latest protections are in place. 8. Implement anomaly detection for unusual access to cryptocurrency wallets or browser data. 9. Establish incident response plans that include AI-based social engineering attack scenarios. 10. Collaborate with threat intelligence providers to stay updated on emerging indicators and tactics related to AI-poisoning campaigns.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Switzerland, Norway, Finland, Denmark, Belgium
Indicators of Compromise
- hash: 276db4f1dd88e514f18649c5472559aed0b2599aa1f1d3f26bd9bc51d1c62166
- hash: 340c48d5a0c32c9295ca5e60e4af9671c2139a2b488994763abe6449ddfc32aa
- hash: 68017df4a49e315e49b6e0d134b9c30bae8ece82cf9de045d5f56550d5f59fe1
- hash: ab60bb9c33ccf3f2f9553447babb902cdd9a85abce743c97ad02cbc1506bf9eb
- hash: e1ca6181898b497728a14a5271ce0d5d05629ea4e80bb745c91f1ae648eb5e11
- ip: 45.94.47.186
- ip: 45.94.47.205
- url: http://putuartana.com/cleangpt
- domain: sanchang.org
- domain: wbehub.org
AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat
Description
The AMOS stealer malware campaign exploits user trust in AI platforms by using SEO poisoning to present malicious ChatGPT and Grok conversations with Terminal commands that deploy the malware on macOS systems. AMOS is a multi-stage stealer that harvests credentials, escalates privileges, and establishes persistence, targeting cryptocurrency wallets, browser data, and system information. This attack bypasses traditional security defenses by leveraging legitimate AI platforms and user behavior, representing an advanced social engineering technique. The campaign is particularly dangerous due to its use of AI-trusted sources and the execution of commands that users may perceive as safe. No authentication or prior compromise is required, and user interaction (executing Terminal commands) is necessary. The threat is medium severity but has potential for significant data loss and system compromise. Indicators include specific file hashes, IP addresses, domains, and URLs linked to the malware infrastructure. European organizations using macOS and relying on AI assistants for technical guidance are at risk, especially those with cryptocurrency assets or sensitive browser data. Mitigation requires user education, strict command execution policies, and enhanced monitoring of AI-sourced advice and terminal command usage.
AI-Powered Analysis
Technical Analysis
This threat involves a sophisticated malware campaign named AMOS stealer that targets macOS users by exploiting the growing trust in AI platforms such as ChatGPT and Grok. Attackers manipulate search engine results (SEO poisoning) to surface malicious AI-generated conversations that appear to offer legitimate macOS disk cleanup advice. These conversations contain Terminal commands that, when copied and executed by users, deploy the AMOS malware. AMOS operates in multiple stages: it initially harvests credentials from the infected system, escalates privileges to gain deeper system access, and establishes persistence to maintain long-term control. The malware specifically targets cryptocurrency wallets, browser-stored data, and system information, exfiltrating this sensitive data to attacker-controlled servers. By leveraging legitimate AI platforms and user trust, the campaign bypasses traditional security controls such as antivirus and endpoint detection systems, which may not flag the AI-generated content or the legitimate-looking commands. The attack requires user interaction—executing the provided Terminal commands—but does not require prior system compromise or authentication. Indicators of compromise include several file hashes, IP addresses (e.g., 45.94.47.186, 45.94.47.205), domains (sanchang.org, wbehub.org), and URLs (http://putuartana.com/cleangpt) associated with the malware delivery infrastructure. This campaign represents an evolution in social engineering by weaponizing AI-generated content and user reliance on AI for technical guidance, making it a unique and insidious threat to macOS users.
Potential Impact
For European organizations, the AMOS stealer campaign poses a significant risk particularly to those with macOS endpoints and users who rely on AI assistants for technical support or troubleshooting. The malware’s ability to harvest credentials and browser data can lead to unauthorized access to corporate accounts, email, and internal systems. Its targeting of cryptocurrency wallets is critical for organizations or individuals involved in digital asset management, potentially resulting in financial theft. Privilege escalation and persistence mechanisms allow attackers to maintain long-term access, increasing the risk of further lateral movement and data exfiltration. The campaign’s reliance on user execution of Terminal commands means that employees unaware of the threat may inadvertently compromise their systems. The use of legitimate AI platforms to deliver malicious content complicates detection and response, potentially delaying incident identification. This threat could disrupt business operations, lead to data breaches, and cause reputational damage. Additionally, the campaign’s novel social engineering approach may inspire similar attacks targeting other platforms or operating systems, increasing the overall threat landscape in Europe.
Mitigation Recommendations
1. Implement strict user education programs emphasizing the risks of executing unverified Terminal commands, especially those sourced from AI platforms or online forums. 2. Deploy endpoint security solutions with behavioral detection capabilities that can identify suspicious privilege escalation and persistence activities on macOS. 3. Monitor network traffic for communications with known malicious IPs and domains associated with AMOS (e.g., 45.94.47.186, sanchang.org). 4. Restrict or audit the use of Terminal commands on corporate macOS devices through application control or endpoint management policies. 5. Encourage users to verify AI-generated technical advice through official or trusted IT support channels before execution. 6. Use multi-factor authentication and strong credential management to limit the impact of credential theft. 7. Regularly update macOS and security tools to ensure the latest protections are in place. 8. Implement anomaly detection for unusual access to cryptocurrency wallets or browser data. 9. Establish incident response plans that include AI-based social engineering attack scenarios. 10. Collaborate with threat intelligence providers to stay updated on emerging indicators and tactics related to AI-poisoning campaigns.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust"]
- Adversary
- null
- Pulse Id
- 693962504b722e27cae01b34
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash276db4f1dd88e514f18649c5472559aed0b2599aa1f1d3f26bd9bc51d1c62166 | — | |
hash340c48d5a0c32c9295ca5e60e4af9671c2139a2b488994763abe6449ddfc32aa | — | |
hash68017df4a49e315e49b6e0d134b9c30bae8ece82cf9de045d5f56550d5f59fe1 | — | |
hashab60bb9c33ccf3f2f9553447babb902cdd9a85abce743c97ad02cbc1506bf9eb | — | |
hashe1ca6181898b497728a14a5271ce0d5d05629ea4e80bb745c91f1ae648eb5e11 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip45.94.47.186 | — | |
ip45.94.47.205 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://putuartana.com/cleangpt | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainsanchang.org | — | |
domainwbehub.org | — |
Threat ID: 693985c05f410c6b20aa8a4f
Added to database: 12/10/2025, 2:37:52 PM
Last enriched: 12/10/2025, 2:52:59 PM
Last updated: 12/11/2025, 5:42:54 AM
Views: 38
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-12-10
MediumReact2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors
MediumNorth Korean Hackers Deploy EtherRAT Malware in React2Shell Exploits
MediumFinding Minhook in a sideloading attack – and Sweden too
MediumThe ChimeraWire trojan boosts website popularity by skillfully pretending to be human
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.