Malware Campaigns Leveraging AI Chat Platforms for Credential and Crypto Theft
Threat actors have launched sophisticated malware campaigns that exploit legitimate AI chat platforms, such as ChatGPT and Grok, to deliver malicious code to unsuspecting users. By using SEO poisoning and sponsored Google search results, attackers redirect users searching for common macOS troubleshooting tips to fake shared chat links on these AI platforms. These chats appear to offer helpful system instructions but actually embed obfuscated, base64-encoded commands that, when executed, install multi-stage malware. The infection process often involves social engineering tactics, such as prompting users to enter their system password under the guise of credential verification, which is then used to escalate privileges and deploy the main malware payload. Security researchers have identified the malware as variants of information stealers, including Shamus and AMOS, which are capable of stealing credentials and cryptocurrency, and employ advanced evasion techniques like multi-layered encoding and custom decoders to avoid detection.
This attack method is particularly effective because it leverages the inherent trust users place in well-known AI brands and their official domains, bypassing traditional safety checks. The campaigns highlight a growing trend in cybercrime where legitimate AI tools are weaponized to facilitate malware delivery, making detection and prevention more challenging. Security analysts emphasize the need for increased vigilance when interacting with AI-generated content, especially when prompted to execute system commands, and recommend enhanced monitoring for suspicious activity originating from AI platform interactions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Campaign details reveal macOS infostealer deployment and persistence tactics
Follow-on reporting disclosed that the attack chain uses sponsored or poisoned search results leading to fake shared chat links containing encoded commands, which prompt victims for their system password and install a multi-stage infostealer. Researchers said the malware establishes persistence with a LaunchDaemon and steals browser data, crypto wallets, Keychain contents, Telegram data, VPN profiles, and files before exfiltration.
Researchers identify ClickFix-style malware delivery via AI chat platforms
Security researchers reported a new social-engineering campaign that abuses trusted AI chatbot domains and shared chat pages surfaced through search results to trick users into running malicious commands. The activity specifically targets macOS users seeking troubleshooting help and uses fake or manipulated AI conversations as the lure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ThreatsDay Bulletin: Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit - and 20 More Stories
thehackernews.com
Open sourceHackers Leveraging LLM Shared Chats to Steal Your Passwords and Crypto
cybersecuritynews.com
Open sourceClickFix Style Attack Uses Grok, ChatGPT for Malware Delivery
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cybercriminal Abuse of AI Platforms and Search Results for Scams and Malware
Cybercriminals are increasingly exploiting AI-driven platforms and search results to conduct scams and distribute malware. Researchers have identified a technique called 'LLM phone number poisoning,' where attackers manipulate public web content to ensure that AI chatbots and search engines, such as Google's AI Overview and Perplexity's Comet browser, surface fraudulent customer support numbers as legitimate contact information. This manipulation leverages Generative Engine Optimization (GEO) and Answer Engine Optimization (AEO) to poison the data sources that large language models (LLMs) use, putting users at risk of being directed to scam call centers or phishing sites. In a related trend, attackers are also abusing the chat-sharing feature of the official ChatGPT website to host malicious guides that distribute infostealer malware targeting macOS users. By purchasing sponsored ads for search terms like 'chatgpt atlas,' threat actors lure victims to what appears to be a legitimate ChatGPT domain, where a shared chat contains instructions and links to download malware disguised as the 'Atlas browser.' These campaigns highlight the growing risk of AI platforms being weaponized for both social engineering and malware distribution, exploiting user trust in reputable AI services and search results.
Mar 21, 2026
Malicious macOS Apps and AI Chat Platforms Used to Distribute AMOS Malware
Attackers are distributing a fake version of the 'Dynamic Island for Mac' app, which mimics the legitimate application's branding and even reuses its demo video to deceive users. The malicious installer, distributed as a `.dmg` file (notably named `DynamicLake.dmg`), instructs users to drag files into the Terminal—a behavior not present in the authentic app. Security firm Jamf has analyzed this malware variant, and affected users have reported difficulties in removing the infection, while abuse reports to platforms like YouTube have so far been ineffective. Separately, cybercriminals are leveraging trusted AI chat platforms such as ChatGPT and Grok to spread the Atomic macOS Stealer (AMOS) malware. By using SEO poisoning, attackers manipulate search results to direct users to seemingly legitimate AI-hosted guides, which instruct them to run malicious code in the macOS Terminal. This code captures the user's password and installs AMOS, which targets cryptocurrency wallets and harvests sensitive data. Both campaigns exploit user trust in familiar brands and platforms, using social engineering to bypass traditional security defenses and infect macOS systems.
Mar 21, 2026
Fake AI Agent Downloads Spread Mac Infostealers via Google Ads and Claude Chats
Attackers are targeting macOS users with fake AI tool downloads promoted through **Google Ads** and public **Claude.ai** shared chats. Victims searching for terms such as “Claude mac download” are shown sponsored results that appear to reference the legitimate `claude.ai` domain, but the links redirect to shared chats containing bogus installation instructions. The lures present themselves as official guidance for running Claude-related tools on Mac, sometimes even masquerading as Apple Support content, and tell users to paste commands into Terminal that instead fetch and execute malware. Researchers said the campaign is active and uses rotating malicious chat pages and infrastructure to evade disruption. Observed payloads include Mac-focused infostealers with behavior consistent with **AMOS** and **Amatera/MacSync-style** theft, including collection of browser credentials, cookies, and **Keychain** data. The activity reflects a broader trend of threat actors disguising malware as AI agents and developer tools to exploit demand for generative AI software on macOS systems.
Jun 4, 2026