This threat involves a sophisticated malware campaign named AMOS stealer that targets macOS users by exploiting the growing trust in AI platforms such as ChatGPT and Grok. Attackers manipulate search engine results (SEO poisoning) to surface malicious AI-generated conversations that appear to offer legitimate macOS disk cleanup advice. These conversations contain Terminal commands that, when copied and executed by users, deploy the AMOS malware. AMOS operates in multiple stages: it initially harvests credentials from the infected system, escalates privileges to gain deeper system access, and establishes persistence to maintain long-term control. The malware specifically targets cryptocurrency wallets, browser-stored data, and system information, exfiltrating this sensitive data to attacker-controlled servers. By leveraging legitimate AI platforms and user trust, the campaign bypasses traditional security controls such as antivirus and endpoint detection systems, which may not flag the AI-generated content or the legitimate-looking commands. The attack requires user interaction—executing the provided Terminal commands—but does not require prior system compromise or authentication. Indicators of compromise include several file hashes, IP addresses (e.g., 45.94.47.186, 45.94.47.205), domains (sanchang.org, wbehub.org), and URLs (http://putuartana.com/cleangpt) associated with the malware delivery infrastructure. This campaign represents an evolution in social engineering by weaponizing AI-generated content and user reliance on AI for technical guidance, making it a unique and insidious threat to macOS users.

For European organizations, the AMOS stealer campaign poses a significant risk particularly to those with macOS endpoints and users who rely on AI assistants for technical support or troubleshooting. The malware’s ability to harvest credentials and browser data can lead to unauthorized access to corporate accounts, email, and internal systems. Its targeting of cryptocurrency wallets is critical for organizations or individuals involved in digital asset management, potentially resulting in financial theft. Privilege escalation and persistence mechanisms allow attackers to maintain long-term access, increasing the risk of further lateral movement and data exfiltration. The campaign’s reliance on user execution of Terminal commands means that employees unaware of the threat may inadvertently compromise their systems. The use of legitimate AI platforms to deliver malicious content complicates detection and response, potentially delaying incident identification. This threat could disrupt business operations, lead to data breaches, and cause reputational damage. Additionally, the campaign’s novel social engineering approach may inspire similar attacks targeting other platforms or operating systems, increasing the overall threat landscape in Europe.

1. Implement strict user education programs emphasizing the risks of executing unverified Terminal commands, especially those sourced from AI platforms or online forums. 2. Deploy endpoint security solutions with behavioral detection capabilities that can identify suspicious privilege escalation and persistence activities on macOS. 3. Monitor network traffic for communications with known malicious IPs and domains associated with AMOS (e.g., 45.94.47.186, sanchang.org). 4. Restrict or audit the use of Terminal commands on corporate macOS devices through application control or endpoint management policies. 5. Encourage users to verify AI-generated technical advice through official or trusted IT support channels before execution. 6. Use multi-factor authentication and strong credential management to limit the impact of credential theft. 7. Regularly update macOS and security tools to ensure the latest protections are in place. 8. Implement anomaly detection for unusual access to cryptocurrency wallets or browser data. 9. Establish incident response plans that include AI-based social engineering attack scenarios. 10. Collaborate with threat intelligence providers to stay updated on emerging indicators and tactics related to AI-poisoning campaigns.