Infostealer has entered the chat www.kaspersky.com/blog/shar…
A new wave of ClickFix attacks spreading a macOS infostealer are posting malicious user guides on the official ChatGPT website by piggybacking the chatbot’s chat-sharing feature.
To attract victims, the malicious actors place paid search ads on Google. Clicking the ad does indeed open chatgpt.com, and the victim sees a brief installation guide for the “Atlas browser”. The careful user will immediately realize this is simply some anonymous visitor’s conversation with ChatGPT, which the author made public using the Share feature. However, a less careful or just less AI-savvy visitor might take the guide at face value — especially since it’s neatly formatted and published on a trustworthy-looking site.
Notably, the malicious actors used prompt engineering to get ChatGPT to produce the exact guide they needed, and were then able to clean up their preceding dialog to avoid raising suspicion.
To install the “Atlas browser”, users are instructed to copy a single line of code from the chat, open Terminal on their Macs, paste and execute the command, and then grant all required permissions. If the user falls for the ruse, a common infostealer known as AMOS (Atomic macOS Stealer) will launch on their computer.
