Cybercriminals have launched a sophisticated campaign exploiting trusted artificial intelligence platforms, including ChatGPT and Grok, to distribute malware to Apple computers without requiring file downloads.
On 5 December, the security firm Huntress discovered that attackers are utilising “SEO poisoning” to manipulate Google search results. Users seeking technical advice for common issues—such as “how to free up space on macOS” or “how to clean data on an iMac”—are presented with links to chats hosted on OpenAI’s ChatGPT and xAI’s Grok at the top of their search results.
These pages appear legitimate, featuring professional formatting, numbered steps, and reassuring phrases such as “safely deletes” and “does not touch your personal data”. However, the guides instruct users to copy a specific snippet of code and paste it directly into the macOS Terminal.
How does the infection work?
Unlike traditional attacks that rely on fake websites or malicious file downloads, this method exploits the reputation of official AI platforms. Once the user executes the command in the Terminal, a script runs that prompts the user for their password.
The malware validates the password in the background using a system utility called dscl-authonly. This process occurs without displaying the standard macOS authentication window or triggering security notifications. If the password is correct, the script saves it in plain text and immediately uses the sudo command to gain administrative privileges.
With this elevated access, the script installs the core component of the Atomic macOS Stealer (AMOS) in a hidden folder named .helper within the user’s directory.
What does the malware do?
Once installed, AMOS targets cryptocurrency wallet applications such as Ledger Wallet and Trezor Suite. It replaces the legitimate software with counterfeit versions designed to harvest seed phrases. Additionally, the malware extracts passwords saved in browsers, macOS keychain entries, and other sensitive files, sending the data to servers controlled by the attackers.
The malware maintains persistence through a LaunchDaemon that executes a hidden monitoring script. This “watchdog” checks every second whether the main executable is running. If the process stops, the script automatically restarts it, meaning that neither rebooting the computer nor manually closing processes will disable the infection.
Why are users falling for it?
Huntress researchers noted that the attackers generate these malicious prompts, make the chat logs public, and pay to promote them on Google. The attack bypasses traditional scepticism because users are following instructions from a well-known AI platform to perform a task that legitimately requires Terminal access.
“The entire infection chain appears to be normal and safe behavior,” Huntress reported. “Users aren’t being careless. They’re not ignoring security prompts.”
The firm verified that the manipulated pages appeared consistently across multiple query variations. Security experts advise users to avoid pasting commands into the Terminal or browser URL bars if the origin is uncertain, even if the information appears on a reputable domain. Companies are urged to monitor for anomalous behaviour, such as unexpected use of dscl-authonly or hidden scripts in user directories.