Infostealer Hits ChatGPT Shares: How ClickFix Scams Are Using Shared Chats to Deliver macOS Malware

What happened — the attack in plain English

Threat actors created convincing “how-to” pages that appear on chatgpt.com/share/… by publishing public ChatGPT conversations. Those shared chats were promoted via paid search ads that look legitimate to users searching for “ChatGPT Atlas for macOS.” When clicked, the link opens the official ChatGPT site and displays a step-by-step installation guide that instructs the user to copy/paste a single Terminal command.

That command downloads and runs a script from a malicious server. The script prompts for the user’s macOS password and—if entered—uses those credentials to install a macOS infostealer known as AMOS (Atomic macOS Stealer) and a backdoor that survives reboots.

Why this trick works

• Trusted domain: The page lives on the official ChatGPT domain (via the chat-sharing feature), which lends instant credibility.
• Human-friendly instructions: The guide is formatted and conversational, mimicking real help docs.
• Terminal is intimidating but accepted: Many users don’t view running Terminal commands as the same risk as downloading an .exe, so they comply.
• Prompt engineering: Attackers coaxed ChatGPT to produce the precise guide and then sanitized the conversation so it looks innocuous.

What AMOS steals — and why it’s dangerous

AMOS is an information-stealer that harvests:

• Browser cookies, saved passwords and session data (Chrome, Firefox, etc.)
• Crypto wallet data (Electrum, Coinomi, Exodus)
• Files from Desktop, Documents, Downloads and Notes
• Credentials and other sensitive artifacts

Stolen data is uploaded to the attacker’s server. The accompanying backdoor enables remote control, additional payloads, and persistent exfiltration.

Attack vector: the ClickFix pattern

Security teams call this a variant of a ClickFix attack: social engineering that convinces users to run shell commands (copy-paste) to “fix” something. Historically ClickFix has been used for fake CAPTCHA solutions or bogus utilities—now attackers are using it for macOS infostealers and backdoors.

Two platform failures in one

This campaign exposes a tricky gap: services that let users publish content on their own domains (shared docs, chats, forms) can be used as malware distribution vectors. Add paid search ads that hide full target URLs and you get a highly convincing trap on an otherwise trusted domain.

Practical steps to stay safe — immediate and enterprise guidance

For everyone

• Never paste shell commands into Terminal from an untrusted source. If a site tells you to run a command, close the page.
• Ask an expert: if the instructions look legitimate but you’re unsure, copy the command into an AI or a secure sandbox and ask what it does—don’t execute it directly.
• Install reputable anti-malware for macOS and keep the OS and apps updated.
• Enable macOS security features (System Integrity Protection, Gatekeeper) and limit admin access—use a standard account for daily use.

For IT teams and enterprises

• Enforce least privilege—do not grant admin rights to users by default.
• Block or log copy/paste of suspicious commands via endpoint controls where possible.
• Roll out user training specifically around ClickFix-style social engineering and “run this in Terminal” scams.
• Use EDR/XDR solutions that can detect suspicious process creation, unusual network exfiltration, and post-exploitation indicators.
• Harden search ad policies for corporate keywords and monitor paid search results for branded phishing/typosquatting.

Broader takeaways — why this trend matters

The attack shows how threat actors quickly adapt to new tools: AI chat sharing is benign, but attackers repackage it as a distribution channel. Expect similar abuse wherever platforms let users publish on platform-owned domains (shared docs, forms, collaborative pages). Platforms that enable public sharing need to pair that capability with stricter scanning, provenance metadata, and clearer UI signals about who authored shared content.

At the same time, defenders should treat copy-paste commands as a red flag and emphasize operational controls (least privilege, endpoint monitoring, and user training) that reduce the human element attackers exploit.

Final checklist — what to do right now

1. If you clicked a shared chat that told you to run a command, don’t run anything. Close the site and verify the source.
2. Run a full malware scan if you executed unknown commands; consider reinstalling the OS if instructed by malware responders.
3. Change passwords from a separate, clean device and enable multi-factor authentication (avoid SMS MFA where possible).
4. Report malicious shared chats to the platform (OpenAI/ChatGPT) and to search ad providers if the content was promoted via an ad.