The AMOS infostealer attack is a novel social engineering campaign targeting macOS users by leveraging the official ChatGPT website's chat-sharing feature. Attackers create malicious user guides for installing a fake 'Atlas' browser on macOS by using prompt engineering to coerce ChatGPT into generating the installation instructions. These instructions are then published as publicly shared chats on chatgpt.com, making them appear legitimate and trustworthy. To lure victims, attackers use paid Google ads that appear as official ChatGPT Atlas download links, directing users to these shared chats. The guide instructs users to copy and paste a shell command into the macOS Terminal, which downloads a malicious script from a suspicious domain (atlas-extension.com) and executes it. This script prompts the user for their system password to gain elevated privileges, then installs the AMOS infostealer malware. AMOS steals sensitive data including passwords, cookies, crypto wallet information (Electrum, Coinomi, Exodus), and files from common user directories and applications like Telegram Desktop and OpenVPN Connect. Additionally, it installs a persistent backdoor that allows attackers remote access and control over the infected system. This attack is a variation of the ClickFix technique, where users are tricked into manually executing commands that compromise their systems. The campaign exploits the growing interest in AI tools and the trust users place in official domains, making it particularly insidious. Although no known exploits in the wild have been reported, the attack vector is effective due to social engineering and the use of legitimate platforms for malware distribution. The threat is classified as medium severity, given the need for user interaction and the significant data theft and persistence capabilities of AMOS.

For European organizations, the AMOS infostealer poses a significant risk to confidentiality and integrity, particularly for employees using macOS devices. The theft of passwords, cookies, and crypto wallet data can lead to credential compromise, financial theft, and unauthorized access to corporate and personal accounts. The installation of a persistent backdoor increases the risk of prolonged espionage, data exfiltration, and lateral movement within networks. Organizations involved in finance, technology, and research sectors are especially vulnerable due to the sensitive nature of their data and the likelihood of macOS usage. The attack also undermines trust in AI tools and official platforms, potentially impacting user behavior and productivity. While availability impact is limited, the breach of sensitive data and remote control capabilities can lead to regulatory penalties under GDPR, reputational damage, and financial losses. The campaign’s reliance on social engineering means that even well-secured networks can be compromised if endpoint users are not adequately trained or protected.

1. Conduct targeted user awareness training focused on the risks of running unverified shell commands, especially those received via online chats or search results. 2. Implement strict endpoint protection solutions on macOS devices that can detect and block known infostealer behaviors and suspicious network connections. 3. Enforce application whitelisting and restrict execution of scripts or commands from untrusted sources. 4. Monitor network traffic for connections to suspicious domains such as atlas-extension.com and block them at the firewall or DNS level. 5. Encourage users to verify any installation instructions by consulting trusted IT personnel or using AI tools to analyze suspicious commands before execution. 6. Employ multi-factor authentication (MFA) across all critical systems to reduce the impact of stolen credentials. 7. Regularly audit and monitor for unusual user activity and persistence mechanisms indicative of backdoor installations. 8. Collaborate with security vendors to stay updated on emerging threats exploiting AI platforms and adjust defenses accordingly.