Find notable cyber news and cases, enriched with sources, timelines, and signals.

AMOS infostealer delivered through Google ads and poisoned ChatGPT/Grok lures

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The AMOS infostealer is being distributed through Google search ads that steer macOS users into poisoned ChatGPT and Grok conversations, creating a fresh path to credential theft and remote execution risk. The lure disguises malicious steps as helpful troubleshooting guidance. Victims who follow the commands can end up downloading and running the malware with root-level privileges. The campaign matters because it combines trusted search, legitimate AI chat surfaces, and a macOS-focused infostealer to increase success against everyday users.

Related Happenings

ClickFix mitigation guidance for Windows and macOS

Defensive Guidance
H score34 First: 30.06.2026 15:00 Last: 30.06.2026 15:00 Sources 1

About this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...

MacOS.Gaslight AI-analysis evasion malware

Malware Activity
H score22 First: 25.06.2026 19:23 Last: 25.06.2026 19:23 Sources 1

About this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...

Gaslight macOS implant with Telegram C2 and prompt-injection payload

Malware Activity
H score29 First: 25.06.2026 12:23 Last: 25.06.2026 12:23 Sources 1

About this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...

MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel

Malware Activity
H score30 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

Timeline

  1. 11.12.2025 01:50 2 articles · 7mo ago

    Kaspersky spots AMOS campaign via poisoned ChatGPT and Grok guides

    Initial Disclosure

    Kaspersky researchers first spotted a ClickFix campaign that abuses Google search ads to steer macOS users into poisoned ChatGPT and Grok conversations, and Huntress later confirmed widespread poisoning across troubleshooting queries such as "how to clear data on iMac" and "free up storage on Mac." The lure sends users to a base64-encoded URL that decodes into a bash script named update, shows a fake password prompt, and can download the AMOS infostealer with root-level privileges on macOS.

    Show sources