Kaspersky Threat Research has identified a new malware campaign that uses paid Google search ads and shared conversations on the official ChatGPT website to trick Mac users into running a command that installs the AMOS (Atomic macOS Stealer) infostealer and a persistent backdoor on their devices.
In the campaign, attackers buy sponsored search ads for queries such as “chatgpt atlas” and direct users to a page that appears to be an installation guide for “ChatGPT Atlas for macOS” hosted at chatgpt.com. In reality, the page is a shared ChatGPT conversation generated through prompt engineering and then sanitized so that only the step-by-step “installation” instructions remain. The guide instructs users to copy a single line of code, open Terminal on macOS, paste the command, and grant all requested permissions.
Kaspersky researchers analysis shows that the command downloads and executes a script from the external domain atlas-extension[.]com. The script repeatedly prompts the user for their system password and validates the password by attempting to run system commands. Once the correct password is supplied, the script downloads the AMOS infostealer, uses the stolen credentials to install it, and launches the malware. The infection flow represents a variation of the so-called ClickFix technique, in which users are persuaded to manually execute shell commands that retrieve and run code from remote servers.
After installation, AMOS collects data that can be monetized or reused in later intrusions. The malware targets passwords, cookies, and other information from popular browsers, data from cryptocurrency wallets such as Electrum, Coinomi, and Exodus, and information from applications including Telegram Desktop and OpenVPN Connect. It also searches for files with TXT, PDF, and DOCX extensions in the Desktop, Documents, and Downloads folders, as well as files stored by the Notes application, then exfiltrates this data to attacker-controlled infrastructure. In parallel, the attack installs a backdoor that is configured to start automatically on reboot, gives remote access to the compromised system, and duplicates much of AMOS’s data-collection logic.
The campaign reflects a broader trend in which infostealers have become one of 2025’s fastest-growing threats, with attackers actively experimenting with AI-related themes, fake AI tools, and AI-generated content to increase the credibility of their lures. Recent waves have included fake AI browser sidebars and fraudulent clients for popular models; the Atlas-themed activity extends this pattern by abusing a legitimate AI platform’s built-in content-sharing feature.
“What makes this case effective is not a sophisticated exploit, but the way social engineering is wrapped in a familiar AI context,” said Vladimir Gursky, Malware Analyst at Kaspersky. “A sponsored link leads to a well-formatted page on a trusted domain, and the ‘installation guide’ is just a single Terminal command. For many users, that combination of trust and simplicity is enough to bypass their usual caution, yet the result is full compromise of the system and long-term access for the attacker.”
