Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AMOS infostealer delivered through Google ads and poisoned ChatGPT/Grok lures

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The AMOS infostealer is being distributed through Google search ads that steer macOS users into poisoned ChatGPT and Grok conversations, creating a fresh path to credential theft and remote execution risk. The lure disguises malicious steps as helpful troubleshooting guidance. Victims who follow the commands can end up downloading and running the malware with root-level privileges. The campaign matters because it combines trusted search, legitimate AI chat surfaces, and a macOS-focused infostealer to increase success against everyday users.

Related Happenings

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

MacSync macOS infostealer with dynamic AppleScript and in-memory execution

Malware Activity
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...

Latest development: 10.05.2026 20:52

A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.

Open Happening

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...

Open Happening

BeatBanker Android phishing campaign targeting Brazilian users

Campaign
First: 12.03.2026 09:56 Last: 12.03.2026 09:56 Sources 1

About this happening: A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...

Open Happening

Timeline

  1. 11.12.2025 01:50 2 articles · 5mo ago

    Kaspersky spots AMOS campaign via poisoned ChatGPT and Grok guides

    Initial Disclosure

    Kaspersky researchers first spotted a ClickFix campaign that abuses Google search ads to steer macOS users into poisoned ChatGPT and Grok conversations, and Huntress later confirmed widespread poisoning across troubleshooting queries such as "how to clear data on iMac" and "free up storage on Mac." The lure sends users to a base64-encoded URL that decodes into a bash script named update, shows a fake password prompt, and can download the AMOS infostealer with root-level privileges on macOS.

    Show sources
    Open in new tab