SEO poisoning with legit AI chats delivers AMOS stealer (www.huntress.com)

A recent cyber attack has highlighted a concerning trend in malware distribution, specifically involving the Atomic macOS Stealer (AMOS). On December 5, 2025, security firm Huntress discovered that victims were unknowingly executing commands to download AMOS after interacting with seemingly legitimate AI-generated troubleshooting conversations on platforms like ChatGPT and Grok. Instead of traditional malware delivery methods like phishing emails or trojanized installers, attackers exploited Google’s search engine optimization (SEO) to rank these malicious conversations at the top of search results, effectively tricking users into thinking they were following safe system maintenance advice. This incident marks a significant evolution in social engineering tactics, as the attack not only abused users' trust in AI technology but also in widely-used platforms like search engines. By weaponizing multiple layers of trust, from search result rankings to the authenticity of the conversation format, the attackers made the infection chain virtually indistinguishable from legitimate help. Once a command was executed, the victim unknowingly granted administrative privileges to the malware, allowing it to harvest sensitive information and remain persistent on their systems. This underscores the need for greater awareness and caution regarding seemingly innocuous online interactions that may hide dangerous implications.