Atomic macOS stealer is spreading via ChatGPT and Grok answers: Header image
Emerging Threats 6 min read

Atomic macOS stealer is spreading via ChatGPT and Grok answers

byRay Fernandez

Published:Dec 19, 2025

The infamous AMOS stealer is back in the news, this time using a rather novel and terrifyingly simple technique to trick users into installing malware on their Macs.

As the use of AI advances, black hat hackers are leveraging these tools in innovative new ways. This new campaign speaks to the trend. Here’s how cybercriminals are using ChatGPT and Grok to reach Mac users. 

Recently, Huntress reported a rare new encounter with AMOS in the wild. The company said that while this new AMOS stealer did all the things the old version did, including stealing your data, stealing your crypto, creating a backdoor, and remaining hidden on your Mac, they could not determine how exactly it got into the breached device.

The company first looked for phishing emails, ClickFix lures, and trojan software impersonation downloads. They found none of these. But what they did find was shocking. 

article snippet with Moonlock logo

Shield your Mac from Atomic Stealer

Moonlock offers bulletproof protection against Atomic Stealer. Even if you click the wrong link, Moonlock will block the malware from infecting your Mac.
try 7 days free

Cybercriminals had created a set of simple IT instructions for Mac users on Grok and ChatGPT that bypass all security guardrails. Then they created a shareable link of that conversation and promoted those ChatGPT and Grok links on Google.

The result? When Mac users Googled “How to clean my Mac disk space” or other similar IT Apple device queries, they were directed to shareable ChatGPT and Grok links that contained malicious code.  

A screenshot showing the shareable link used to spread AMOS.
Huntress shared a screenshot of the shareable link used to spread AMOS. Image: Screenshot, Moonlock. ChatGPT is a trademark of OpenAI.

The way cybercriminals promoted these shareable public AI chat links was through Search Engine Optimization (SEO) techniques and sponsored ads, as seen in the image below.  

The screenshot showing how hackers abused SEO and ads, shared by Huntress.
Huntress shared a screenshot of how hackers abused SEO and ads. Image: Screenshot, Moonlock. Google Search is a trademark of Google LLC.

A reminder of what AMOS can do if it gets onto your Mac

The AMOS variant in this campaign has the same capabilities as others seen in the wild. 

AMOS can: 

  • Empty crypto wallets: AMOS looks for popular wallet apps like Electrum, Exodus, MetaMask, Ledger Live, Coinbase Wallet, and others you might have installed.
  • Steal browser info: AMOS grabs saved passwords, cookies, autofill details, and login sessions from Chrome, Safari, Firefox, and other browsers.
  • Snoop on Keychain: This stealer digs into the macOS Keychain to pull app passwords, Wi-Fi login credentials, and security certificates.
  • Hunt for files: It scans your Mac for wallet files, settings, and other sensitive documents.
  • Send it all out: AMOS then packs up everything it finds and quietly sends it off to servers controlled by the attacker.
A screenshot showing an example of stealer code.
Classic AMOS code, which all other stealers in some way copied, is going after your crypto wallets. Image: shared by Huntress, Screenshot Moonlock.

To show how easy it is to create shareable links on AI platforms and raise awareness on the risks of public AI shareable links, we recreated the steps hackers took to create these AMOS AI links. 

ChatGPT has evidently been updated to mitigate this new technique, as the screenshots below will show. However, bypassing these guardrails, as numerous reports explain, is not that difficult and only takes some convincing.

Reports show that cybercriminals usually trick and jailbreak AI platforms by telling them they are a cybersecurity researcher or developer and need to “run some cybersecurity tests.”

In this new AMOS campaign, black hat hackers first asked the AI platforms to create a set of simple instructions for common macOS IT queries, such as “Clean my disk space on a Mac,” as the image below shows. 

A screenshot showing a ChatGPT prompt and response.
To create shareable AI public links, first ask the AI to write what you want. Image: Screenshot, Moonlock. ChatGPT is a trademark of OpenAI.

Next, all they did was click on the “Share” button, found below the AI’s answer.

A screenshot highlighting the Share button on ChatGPT.
To share any AI answer, just click on the Share button at the end of the message. Image: Screenshot, Moonlock.

Once the hackers clicked on “Share,” the AI gave them a public, cloud-hosted link that looked legitimate—because it is.

Shareable links are stored on ChatGPT.com and hosted on OpenAI public servers, making them convincing. The average user would never suspect that these instructions contained a malicious payload.

A screenshot showing the link to shareable content on OpenAI.
ChatGPT, and any other LLM AI, will give you a link to shareable content. This link is hosted on OpenAI servers and starts with www.chatgpt.com. Image: Screenshot, Moonlock. ChatGPT is a trademark of OpenAI.
A screenshot highlighting the shareable link given by ChatGPT.
The shareable link ChatGPT gave us. Image: Screenshot, Moonlock. ChatGPT is a trademark of OpenAI.

As mentioned above, ChatGPT has been updated to mitigate this threat, so when we asked it to replicate the malicious set of instructions that cybercriminals created in this AMOS campaign, it refused. It also added warnings the next time we asked for instructions.

A screenshot of the ChatGPT response.
We asked ChatGPT to recreate the instructions that hackers used in this campaign. It did, but with warnings. Image: Screenshot, Moonlock. ChatGPT is a trademark of OpenAI.

This is obviously good news. Users want companies like OpenAI and XAI to train and update their models according to the latest cybercriminal threats.

How to protect yourself from the AI-ClickFix lure

Other than the new methods outlined above, the rest of the Atomic attack chain and the AMOS stealer malware code are the same. 

This technique may sound sophisticated, but it is not new. It is a variation of a ClickFix lure. The only difference is that this ClickFix technique—where criminals give you a set of instructions to follow on your Mac—is that these instructions are hosted on globally recognized AI platforms. This makes the lure highly convincing because most users trust ChatGPT.com (or Grok) and, by extension, a link that includes their name.

The bottom line? Do not click on sponsored ads, and do not click on shareable links even if they are listed on a Google result page. As long as you don’t, this campaign will have nothing on you. 

As Fergal Glynn, AI Security Advocate and Chief Marketing Officer at Mindgard, told us, “The share feature on AI platforms poses risks of prompt injection attacks.”

The share feature on AI platforms poses risks of prompt injection attacks.

Fergal Glynn, AI Security Advocate and Chief Marketing Officer at Mindgard

“There are risks of bypassing email security,” Glynn added. “Your credentials may be harvested, you may be fed with disinformation, or there is a risk of your data being exposed permanently. Attackers prepare conversations that show you only portions while hiding their manipulations.”

ClickFix instructions, whether they are hosted on an AI server, hosted on a normal website, sent via email, or pop up on your computer or browser, usually contain a coded script that hackers ask you to paste into your terminal. Sometimes, they even offer simpler instructions, such as “click and drag.”

Both of these methods bypass your Mac’s security guardrails and tell your Mac that it is safe to download a specific payload. This payload will then unbundle with the AMOS stealer. 

“Execute Terminal commands only after verifying them properly,” said Glynn. “To save yourself from your credentials being stolen, use password managers.”

“Legitimate Apple staff don’t request you use shady base64 commands, so if it feels suspicious, trust your instinct,” Glynn added.

Finally, use strong antivirus software like Moonlock to prevent AMOS from infecting your Mac and remove it if your Mac has already been infected.

Final thoughts 

AMOS, and the other half a dozen new macOS stealers in the wild, all rely on social engineering to hack your computer. By staying updated on what the new vectors of malware distribution are—in this case, AI shareable public links—you can shut down the entire attack chain.

Disclosure note: We asked xAI, the developer of Grok, for their thoughts on this new AMOS technique, what they thought about the entire situation, and if they had any advice for the Mac user community. Their response was, “Legacy Media Lies.” If that’s an anagram, we are still trying to figure it out.  

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac and macOS are trademarks of Apple Inc. ChatGPT is a trademark of OpenAI.

MoonLock Banner
Ray Fernandez

Ray Fernandez

Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.
Promo Banner

You might also like

Apple and Google are warning users about new Predator spyware: Header image
Apple and Google are warning users about new Predator spyware
Dec 12, 2025
7 min read
New Mac malware DigitStealer can steal your files, passwords, and browser data: Header image
New Mac malware DigitStealer can steal your files, passwords, and browser data
Nov 28, 2025
8 min read
ClickFix malware is infecting Macs via Facebook ads for fake AI apps: Header image
ClickFix malware is infecting Macs via Facebook ads for fake AI apps
Nov 21, 2025
6 min read