Infostealers Exploit Shared ChatGPT Pages To Deploy Malware

Kaspersky researchers in 2025 uncovered a campaign where attackers use paid Google ads to link to shared ChatGPT conversations that host installation instructions for a fake "Atlas" macOS browser. The instructions ask users to paste a shell command that downloads AMOS, an infostealer that exfiltrates browser data, crypto wallets, documents, and installs a persistent backdoor. The campaign highlights abuse of trusted domains and prompts defenses such as blocking shared-chat links and user education.
Key Points
- 1Use paid Google ads to link to chatgpt.com shared chats that host malicious installation commands.
- 2Enable attackers to bypass domain-trust, convincing users to run shell commands and install AMOS infostealer.
- 3Require practitioners to warn users, block shared-chat links, scrutinize paid results and educate on ClickFix dangers.
Scoring Rationale
Verified Kaspersky campaign offering concrete defenses; limited novelty and macOS-focused scope reduce transformational impact for most.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
