Threat Actors Use ChatGPT And Grok To Deliver AMOS Stealer
On Feb. 11, 2026, security researchers reported threat actors abusing shareable ChatGPT and Grok conversations and promoting them via Google Search ads to trick macOS users into running Terminal commands that install the Atomic macOS Stealer (AMOS). The campaign combines LLM conversation sharing, paid-search distribution, and social engineering to make malware delivery appear legitimate. Organizations should monitor ad placements and warn users against executing unverified Terminal commands.
Key Points
- 1Exploit campaigns use shareable ChatGPT/Grok conversations and Google Search ads to distribute AMOS macOS stealer.
- 2Attackers blend trusted LLM platforms and paid-search to normalize malicious commands, increasing victim trust and success.
- 3Defenders must monitor ad channels, restrict executing unknown Terminal commands, and educate macOS users immediately.
Scoring Rationale
Novel attack vector and high practitioner relevance; limited independent verification and primarily targeted at macOS users.
Sources
Public references used for this report.
Practice with real Ad Tech data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Ad Tech problems

