Cybercriminal Abuse of AI Platforms and Search Results for Scams and Malware
Cybercriminals are increasingly exploiting AI-driven platforms and search results to conduct scams and distribute malware. Researchers have identified a technique called 'LLM phone number poisoning,' where attackers manipulate public web content to ensure that AI chatbots and search engines, such as Google's AI Overview and Perplexity's Comet browser, surface fraudulent customer support numbers as legitimate contact information. This manipulation leverages Generative Engine Optimization (GEO) and Answer Engine Optimization (AEO) to poison the data sources that large language models (LLMs) use, putting users at risk of being directed to scam call centers or phishing sites.
In a related trend, attackers are also abusing the chat-sharing feature of the official ChatGPT website to host malicious guides that distribute infostealer malware targeting macOS users. By purchasing sponsored ads for search terms like 'chatgpt atlas,' threat actors lure victims to what appears to be a legitimate ChatGPT domain, where a shared chat contains instructions and links to download malware disguised as the 'Atlas browser.' These campaigns highlight the growing risk of AI platforms being weaponized for both social engineering and malware distribution, exploiting user trust in reputable AI services and search results.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Malwarebytes documents additional AMOS variants and infection-chain details
Malwarebytes reported that poisoned public AI chats were appearing in Google results and detailed a multi-stage AMOS deployment using base64-decoded payloads, malicious bash scripts, privilege escalation, and persistence. It also linked the broader campaign to the fake "OpenAI Atlas browser for macOS" variant and published remediation advice for suspected infections.
Huntress and BleepingComputer expand analysis of AMOS AI-chat malvertising
Follow-on reporting said Huntress confirmed the AMOS campaign was broader than a single lure, with malicious shared ChatGPT and Grok guides targeting users searching for macOS troubleshooting advice. The analysis added technical details including LaunchDaemon persistence, crypto-wallet trojanization, and AMOS's newer backdoor capabilities.
Aurascape discloses 'LLM phone number poisoning' scam technique
Researchers at Aurascape's Aura Labs identified a separate AI-abuse technique in which attackers seed fraudulent phone numbers across public websites so LLM-based assistants and AI search tools return scam contact details to users. They observed real cases involving fake airline customer support numbers surfaced by AI systems.
Kaspersky identifies ChatGPT share abuse in a ClickFix-style AMOS campaign
Kaspersky reported a new ClickFix-style campaign abusing ChatGPT's chat-sharing feature and paid Google search ads to deliver AMOS and a persistent backdoor from attacker-controlled infrastructure. The company described how victims were tricked into running shell commands from a shared ChatGPT conversation hosted on a legitimate domain.
Attackers poison AI chats and search results to spread AMOS on macOS
Threat actors began using Google ads, SEO poisoning, and shared ChatGPT and Grok conversations to lure macOS users seeking troubleshooting help into copying Terminal commands that install the Atomic macOS Stealer (AMOS). The campaign included fake guides such as an "Atlas browser for macOS" installation and other macOS help topics.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Google ads funnel Mac users to poisoned AI chats that spread the AMOS infostealer
malwarebytes.com
Open sourceHow online search and AI can install malware
eclecticlight.co
Open sourceGoogle ads for shared ChatGPT, Grok guides push macOS infostealer malware
bleepingcomputer.com
Open sourceScammers are poisoning AI search results to steer you straight into their traps - here's how
zdnet.com
Open sourceInfostealer has entered the chat
kaspersky.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Campaigns Leveraging AI Chat Platforms for Credential and Crypto Theft
Threat actors have launched sophisticated malware campaigns that exploit legitimate AI chat platforms, such as ChatGPT and Grok, to deliver malicious code to unsuspecting users. By using SEO poisoning and sponsored Google search results, attackers redirect users searching for common macOS troubleshooting tips to fake shared chat links on these AI platforms. These chats appear to offer helpful system instructions but actually embed obfuscated, base64-encoded commands that, when executed, install multi-stage malware. The infection process often involves social engineering tactics, such as prompting users to enter their system password under the guise of credential verification, which is then used to escalate privileges and deploy the main malware payload. Security researchers have identified the malware as variants of information stealers, including Shamus and AMOS, which are capable of stealing credentials and cryptocurrency, and employ advanced evasion techniques like multi-layered encoding and custom decoders to avoid detection. This attack method is particularly effective because it leverages the inherent trust users place in well-known AI brands and their official domains, bypassing traditional safety checks. The campaigns highlight a growing trend in cybercrime where legitimate AI tools are weaponized to facilitate malware delivery, making detection and prevention more challenging. Security analysts emphasize the need for increased vigilance when interacting with AI-generated content, especially when prompted to execute system commands, and recommend enhanced monitoring for suspicious activity originating from AI platform interactions.
Mar 21, 2026
Threat Actors Abuse Generative AI for Scams, Influence Operations, and ClickFix Social Engineering
OpenAI reported multiple cases of **malicious use of ChatGPT and related API access** spanning financially motivated fraud and government-aligned information operations, including romance scams, fake legal services, coordinated influence campaigns, and a state-linked harassment effort. In one detailed case (“**Operation Date Bait**”), actors used ChatGPT accounts and an API customer to generate ad copy for a fake dating service, drive victims to *Telegram*, and run semi-automated “missions” that required escalating payments; OpenAI said it banned accounts involved and noted the group’s claimed revenues could not be independently verified. OpenAI also described model use for translation, persona development, and internal coordination (e.g., generating status reports and assigning targets projected payout values), and cited evidence such as repeated text patterns posted by multiple X accounts. Google’s Threat Intelligence Group (GTIG) separately assessed that **nation-state threat actors** are operationalizing LLMs (including *Gemini* and other tools) for reconnaissance, victim targeting, and generating culturally fluent, multi-turn “rapport-building” phishing lures. GTIG also observed abuse of generative AI services’ public sharing features to host deceptive content used in **ClickFix** campaigns, where victims are tricked into copying and pasting malicious commands into a terminal; the activity was first observed in early December 2025. The reporting highlights a converging trend: adversaries are using LLMs to scale and localize social engineering while shifting delivery mechanisms toward trusted AI platforms and shared content features to increase credibility and reach.
Mar 21, 2026
AI-Enabled Phishing and Malware Delivery Trends
Security researchers and industry commentary describe a broader rise in **AI-assisted cybercrime**, with attackers using generative AI to improve phishing lures, clone legitimate login pages, and scale social-engineering operations. Reporting highlights that phishing remains a leading initial access vector, while **phishing-as-a-service** and AI-generated content are making campaigns more convincing and easier to produce at volume. IBM similarly warns that AI is acting as a force multiplier for attackers, lowering the cost of malware development and enabling more disposable, harder-to-attribute malicious tooling. Kaspersky documented active campaigns in which threat actors used **Google Search ads** and fake documentation pages to distribute the **AMOS** infostealer on macOS and **Amatera** on Windows, disguising the malware as popular AI tools including **OpenClaw**, **Claude Code**, and **Doubao**. By contrast, ZDNET's article focuses on the business and product-security shortcomings of Moltbook and OpenClaw acquisitions rather than a specific threat campaign, making it adjacent but not part of the same security event. The material overall is **not fluff** because it includes substantive threat reporting and technical security analysis, even though the references describe related developments rather than one discrete incident.
Mar 21, 2026