Breaking 15:45 Global bonds rally as investors shift focus to slowdown fears 15:30 Polymarket bettor loses $650,000 wagering on Iran regime collapse 14:13 Mexican immigrant death in U.S. custody raises concerns over detention conditions 13:50 Pentagon plans ground operations in Iran as war enters second month 13:20 Gold heads for worst month since 2008 as war-driven dollar surge hammers prices 12:25 EU energy ministers to convene Tuesday on Iran war supply crisis 12:20 Dollar nears 10-month high as Iran war stretches into fifth week 12:15 Starcloud hits $1.1 billion valuation as AI space infrastructure grows 11:55 SpaceX launches 119 payloads from California on Transporter-16 rideshare mission 11:45 Egypt urges Trump to end Iran conflict, warns oil could surge above $200 11:40 Researchers build a phonon laser that could one day replace GPS 11:30 Spain closes airspace to U.S. aircraft involved in Iran conflict 11:20 Asian currencies and stocks tumble as Iran war drives oil toward $115 10:55 Gold holds near $3,490 as oil surge dims hopes of Fed rate cuts 10:40 Faouzia performs at Lollapalooza Chicago with new album Film noir 10:15 Kosovo agrees to deploy troops to Gaza in U.S.-led peace initiative 10:08 Cambodia cuts electric vehicle import duties amid global fuel price surge 09:45 Oil tops 116 dollars as Iran conflict fuels record electric‑vehicle demand 09:20 Morgan Stanley backs memory stocks after market selloff triggered by TurboQuant 09:05 Gurman calls Apple’s upcoming foldable iPhone its “most important transformation” ever 08:50 Tech CEOs increasingly cite AI to justify mass layoffs 08:20 The Elder Scrolls: Blades shuts down permanently on June 30, Bethesda pulls it from all platforms 08:15 Pakistan and Afghanistan exchange fire as Islamabad prepares to host US-Iran talks 07:45 Albanese urges clarity from Trump on objectives of Iran war 07:30 US lawmakers urge Taiwan to approve $40 billion defence budget during Taipei visit 07:15 Sanctioned Russian Oil Tanker heads to Cuba as Trump downplays concerns

Chatgpt share feature abused to spread atomic macos stealer

Wednesday 10 December 2025 - 13:20
Chatgpt share feature abused to spread atomic macos stealer

Cybercriminals are weaponizing ChatGPT’s chat sharing feature in a new campaign that installs Atomic macOS Stealer, also known as AMOS, on Apple computers while posing as a guide to a fake “Atlas browser” for macOS. The operation targets a broad audience of macOS users and cybersecurity conscious professionals who rely on search engines and official looking resources to discover new tools and troubleshoot technical issues.​

How the chatgpt share feature is abused

Security analysts report that attackers are publishing polished installation guides for a non existent Atlas browser as shared conversations hosted on the official chatgpt.com domain. These shared chats are stripped of suspicious context and presented as legitimate step by step instructions, making them appear trustworthy to users who reach them via search.​

To drive traffic, the threat actors buy Google ads targeting terms such as “chatgpt atlas,” sending users to chatgpt.com/share URLs that look indistinguishable from genuine OpenAI content. Once on the page, victims are told to copy a single command into the macOS Terminal, framed as a standard installation step for the supposed browser.​

From one line command to full system compromise

The command shown in the shared chat retrieves and runs a script hosted on the domain atlas-extension.com, which acts as the delivery mechanism for AMOS. The script repeatedly prompts the user for their macOS password and, once the correct credentials are provided, uses them to install the malware with elevated privileges and to set up persistence.​

Researchers describe this social engineering method as a variation of the ClickFix technique, in which users are convinced to execute a command presented as a fix, update, or optimization rather than as a threat. In this case, curiosity around an apparently new ChatGPT linked browser is used to override normal caution, especially among users accustomed to pasting commands from technical guides.​

Amos infostealer and its new persistent backdoor

Once installed, Atomic macOS Stealer focuses on harvesting sensitive data, including passwords, cookies, and autofill information from browsers such as Chrome and Firefox, as well as credentials and assets from cryptocurrency wallets including Electrum, Coinomi, and Exodus. The malware also searches Desktop, Documents, and Downloads folders for text, PDF, and DOCX files, and can capture session data from applications like Telegram Desktop and OpenVPN Connect.​

Recent analysis shows newer AMOS variants ship with an integrated backdoor that gives attackers persistent, remote access to infected Macs even after reboots. Cybersecurity firm Moonlock notes this marks only the second globally scaled macOS backdoor operation after previous campaigns linked to North Korean groups, and warns that AMOS has already been detected in attacks across more than 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected.​

Global campaigns and blocked attacks

Threat intelligence reports describe AMOS as one of the most widespread macOS stealers currently in circulation, offered under a malware as a service model to different criminal crews. These groups combine techniques such as malvertising, fake support pages, and now shared AI chats to lure victims into running single line installation commands that bypass normal user skepticism and native security prompts.​

CrowdStrike recently disclosed that its Falcon platform blocked more than 300 attempted intrusions between June and August 2025 involving SHAMOS, a variant of Atomic macOS Stealer developed by the cybercrime group Cookie Spider. Those campaigns relied heavily on fraudulent macOS help sites promoted via online advertising, illustrating how commercial off the shelf stealers like AMOS are being repeatedly repurposed and redistributed through evolving social engineering vectors.​

Mitigation advice for macos users

Security specialists stress that users should never execute Terminal commands copied from unverified chats, search results, or online guides, regardless of whether the content is hosted on a trusted domain. Experts recommend checking any unfamiliar one line command with IT teams or by using independent analysis tools, and verifying software downloads through official vendor websites rather than search ads or intermediaries.​

Defenders advise macOS users, including professionals managing sensitive data or cryptocurrency assets, to run reputable endpoint protection capable of detecting AMOS and similar stealers, to keep systems and browsers updated, and to monitor for unusual access to accounts and wallets. Organizations are also encouraged to train staff about ClickFix style tactics that disguise malicious commands as harmless fixes or productivity enhancements.​

Keywords:



Latest News États-Unis (United States)
  • Fajr
  • Sunrise
  • Dhuhr
  • Asr
  • Maghrib
  • Isha

Newsletter

Subscribe now to the Walaw website newsletter to receive all the latest updates

Email address

Read more

Cybersecurity stocks drop after Anthropic AI model leak Technology Cybersecurity stocks drop after Anthropic AI model leak
Poland and Switzerland strengthen defense cooperation through joint talks News in brief Poland and Switzerland strengthen defense cooperation through joint talks
French university platform hack exposes data of nearly 800,000 users Technology French university platform hack exposes data of nearly 800,000 users
XBOW secures $120 million and integrates AI pentesting with Microsoft Technology XBOW secures $120 million and integrates AI pentesting with Microsoft

This website, walaw.press, uses cookies to provide you with a good browsing experience and to continuously improve our services. By continuing to browse this site, you agree to the use of these cookies.