Threat Actors Use ChatGPT And Grok To Deliver AMOS Stealer

On Feb. 11, 2026, security researchers reported threat actors abusing shareable ChatGPT and Grok conversations and promoting them via Google Search ads to trick macOS users into running Terminal commands that install the Atomic macOS Stealer (AMOS). The campaign combines LLM conversation sharing, paid-search distribution, and social engineering to make malware delivery appear legitimate. Organizations should monitor ad placements and warn users against executing unverified Terminal commands.