{"id":24988,"date":"2025-12-09T04:32:33","date_gmt":"2025-12-09T09:32:33","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=24988"},"modified":"2025-12-11T16:44:28","modified_gmt":"2025-12-11T12:44:28","slug":"share-chatgpt-chat-clickfix-macos-amos-infostealer","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/share-chatgpt-chat-clickfix-macos-amos-infostealer\/24988\/","title":{"rendered":"Infostealer has entered the chat"},"content":{"rendered":"

Infostealers \u2014 malware that steals passwords, cookies, documents, and\/or other valuable data from computers \u2014 have become 2025\u2019s fastest-growing cyberthreat<\/a>. This is a critical problem for all operating systems and all regions. To spread their infection, criminals use every possible trick to use as bait. Unsurprisingly, AI tools have become one of their favorite luring mechanisms this year. In a new campaign discovered by Kaspersky experts, the attackers steer their victims to a website that supposedly contains user guides for installing OpenAI\u2019s new Atlas browser for macOS. What makes the attack so convincing is that the bait link leads\u00a0to\u2026 the official ChatGPT website! But how?\n<\/p>\n

The bait-link in search results<\/h2>\n

\nTo attract victims, the malicious actors place paid search ads on Google. If you try to search for \u201cchatgpt atlas\u201d, the very first sponsored link could be a site whose full address isn\u2019t visible in the ad, but is clearly located on the chatgpt.com<\/em> domain.<\/p>\n

The page title in the ad listing is also what you\u2019d expect: \u201cChatGPT\u2122 Atlas for macOS \u2013 Download ChatGPT Atlas for Mac\u201d. And a user wanting to download the new browser could very well click that link.<\/p>\n

\"A<\/a>

A sponsored link in Google search results leads to a malware installation guide disguised as ChatGPT Atlas for macOS and hosted on the official ChatGPT site. How can that be?<\/p><\/div>\n

The Trap<\/h2>\n

\nClicking the ad does indeed open chatgpt.com, and the victim sees a brief installation guide for the \u201cAtlas browser\u201d. The careful user will immediately realize this is simply some anonymous visitor\u2019s conversation with ChatGPT, which the author made public using the Share feature. Links to shared chats begin with chatgpt.com\/share\/<\/em>. In fact, it\u2019s clearly stated right above the chat: \u201cThis is a copy of a conversation between ChatGPT & anonymous\u201d.<\/p>\n

However, a less careful or just less AI-savvy visitor might take the guide at face value \u2014 especially since it\u2019s neatly formatted and published on a trustworthy-looking site.<\/p>\n

Variants of this technique have been seen before \u2014 attackers have abused other services that allow sharing content on their own domains: malicious documents in Dropbox, phishing in Google Docs<\/a>, malware in unpublished comments on GitHub and GitLab<\/a>, crypto traps in Google Forms<\/a>, and more. And now you can also share a chat with an AI assistant, and the link to it will lead to the chatbot\u2019s official website.<\/p>\n

Notably, the malicious actors used prompt engineering to get ChatGPT to produce the exact guide they needed, and were then able to clean up their preceding dialog to avoid raising suspicion.<\/p>\n

\"Malware<\/a>

The installation guide for the supposed Atlas for macOS is merely a shared chat between an anonymous user and ChatGPT in which the attackers, through crafted prompts, forced the chatbot to produce the desired result and then sanitized the dialog<\/p><\/div>\n

The infection<\/h2>\n

\nTo install the \u201cAtlas browser\u201d, users are instructed to copy a single line of code from the chat, open Terminal on their Macs, paste and execute the command, and then grant all required permissions.<\/p>\n

The specified command essentially downloads a malicious script from a suspicious server, atlas-extension{.}com<\/em>, and immediately runs it on the computer. We\u2019re dealing with a variation of the ClickFix attack<\/a>. Typically, scammers suggest \u201crecipes\u201d like these for passing CAPTCHA, but here we have steps to install a browser. The core trick, however, is the same: the user is prompted to manually run a shell command that downloads and executes code from an external source. Many already know not to run files downloaded from shady sources, but this doesn\u2019t look like launching a file.<\/p>\n

When run, the script asks the user for their system password and checks if the combination of \u201ccurrent username + password\u201d is valid for running system commands. If the entered data is incorrect, the prompt repeats indefinitely. If the user enters the correct password, the script downloads the malware and uses the provided credentials to install and launch it.\n<\/p>\n

The infostealer and the backdoor<\/h2>\n

\nIf the user falls for the ruse, a common infostealer known as AMOS<\/a> (Atomic macOS Stealer) will launch on their computer. AMOS is capable of collecting a wide range of potentially valuable data: passwords, cookies, and other information from Chrome, Firefox, and other browser profiles; data from crypto wallets like Electrum, Coinomi, and Exodus; and information from applications like Telegram Desktop and OpenVPN Connect. Additionally, AMOS steals files with extensions TXT, PDF, and DOCX from the Desktop, Documents, and Downloads folders, as well as files from the Notes application\u2019s media storage folder. The infostealer packages all this data and sends it to the attackers\u2019 server.<\/p>\n

The cherry on top is that the stealer installs a backdoor, and configures it to launch automatically upon system reboot. The backdoor essentially replicates AMOS\u2019s functionality, while providing the attackers with the capability of remotely controlling the victim\u2019s computer.\n<\/p>\n

How to protect yourself from AMOS and other malware in AI chats<\/h2>\n

\nThis wave of new AI tools allows attackers to repackage old tricks and target users who are curious about the new technology but don\u2019t yet have extensive experience interacting with large language models.<\/p>\n

We\u2019ve already written about a fake chatbot sidebar for browsers<\/a> and fake DeepSeek and Grok clients<\/a>. Now the focus has shifted to exploiting the interest in OpenAI Atlas, and this certainly won\u2019t be the last attack of its kind.<\/p>\n

What should you do to protect your data, your computer, and your money?\n<\/p>\n