The increasing integration of artificial intelligence into daily digital life has created a landscape where users confidently turn to AI chatbots for quick solutions, from drafting emails to troubleshooting technical issues on their computers. This very trust, however, is being exploited in a new and sophisticated malware campaign that weaponizes the shared chat features of legitimate AI platforms, such as ChatGPT and DeepSeek, to target macOS users with a potent information-stealing threat. This emerging attack vector demonstrates how threat actors are adapting their methods, cleverly embedding malicious instructions within seemingly helpful conversations to bypass conventional security measures and trick unsuspecting individuals into compromising their own systems. The campaign highlights a critical vulnerability not in the AI models themselves, but in the human trust placed in the platforms that host them.
The Anatomy of a Deceptive Attack
Leveraging Trusted Platforms for Malicious Entry
The initial phase of this attack campaign masterfully exploits the trust users place in both major search engines and popular AI services to create a highly effective delivery mechanism. Threat actors begin by setting up sponsored search results on Google that target common user queries related to system maintenance, such as “how to clear storage on Mac.” When an unsuspecting user clicks on one of these malicious sponsored links, they are not directed to a suspicious website but are instead taken to a shared chat session on a legitimate and well-known AI platform. This immediately lowers the user’s guard, as the environment appears safe and familiar. The chat log presents itself as a helpful, step-by-step guide to solving their problem, offering a series of commands to be copied and pasted into the Mac’s Terminal. The true danger lies hidden within these instructions; the attackers embed malicious, base64-encoded commands that are obfuscated to look like benign system operations. This method is particularly insidious because it circumvents the safety protocols of the AI platforms, which are designed to filter out overtly harmful content but may not detect carefully concealed malicious code within a shared conversation. By using these official channels, the attackers turn a trusted source of information into the first stage of a malware infection.
The Multi Stage Infection Process
Once the user is convinced to execute the provided commands, a carefully orchestrated multi-stage infection process is initiated, designed to escalate privileges and deploy the final payload without raising suspicion. The initial base64-encoded command, when run in the Terminal, downloads a secondary bash script from a server controlled by the attackers. This script is the key to the next phase of the attack, as it employs a classic social engineering tactic to steal the user’s credentials. It presents a prompt that mimics a standard system request, asking the user to enter their password to authorize the “changes.” Believing this is a necessary part of the maintenance process they initiated, the user provides their password, which is immediately captured and exfiltrated. With the administrator password in hand, the malware gains the elevated privileges it needs to make deep-seated changes to the operating system. It then uses this newfound power to connect back to the attacker’s command-and-control infrastructure and download the primary malware payload, an information-stealer known as “Shamus.” This sequence effectively bridges the gap from a simple, deceptive command to a full system compromise, all while maintaining the facade of a legitimate procedure.
Unpacking the Shamus Malware
Sophisticated Evasion and Persistence Techniques
The “Shamus” malware, once successfully installed on a macOS system, reveals itself to be a highly sophisticated and evasive threat designed for long-term data exfiltration. Its creators have gone to great lengths to ensure it can operate undetected by common security tools and antivirus software. The payload is protected by multiple layers of obfuscation, making static analysis extremely challenging. It employs a combination of arithmetic and XOR encoding, which scrambles its code into a seemingly nonsensical format. To decode this on the fly, the malware uses a custom 6-bit decoder, a non-standard technique that can easily bypass signature-based detection engines looking for known malware patterns. Beyond its stealth capabilities, “Shamus” is built for persistence. To ensure it remains active even after a system reboot, the malware creates a LaunchDaemon. This is a standard macOS feature used for running background services, but in this case, it is co-opted to automatically execute the malware every time the computer starts up. This persistence mechanism solidifies the attacker’s foothold on the compromised machine, allowing them to continuously monitor the system and steal data over an extended period without requiring any further interaction from the user.
An Insatiable Appetite for Data
The ultimate goal of the “Shamus” malware is comprehensive and indiscriminate data theft, targeting a vast array of sensitive information stored on the victim’s machine. Its data-gathering capabilities are extensive, focusing on credentials, financial assets, and personal communications. The malware is programmed to scour the system for browser data, systematically extracting cookies, saved passwords, and browsing history from popular browsers like Google Chrome and Mozilla Firefox, as well as over a dozen other browsers built on the Chromium engine. It also exhibits a keen interest in digital currency, specifically targeting the local data of 15 different cryptocurrency wallet applications, including Ledger Live, Trezor Suite, and Bitcoin Core, in an effort to steal private keys and drain funds. Perhaps most alarmingly, it exfiltrates the entire macOS Keychain database, a secure container that stores a wide range of passwords, certificates, and other secrets for various applications and online services. The data harvest is rounded out by stealing Telegram session data, VPN configuration profiles, and any personal files found in the user’s Desktop and Documents folders. All of this collected information is then compressed into a single archive, encrypted, and transmitted to the attackers’ remote command-and-control servers for exploitation.
A New Front in Cybersecurity
This campaign represented a notable and concerning evolution in the methods used for malware distribution. The attackers successfully demonstrated how emerging technologies, designed to assist users, could be creatively co-opted to exploit the very trust they were built on. By leveraging the legitimacy of generative AI platforms as a delivery vector, the campaign managed to bypass traditional security perimeters and social-proof its malicious instructions in a way that phishing emails or fake websites often fail to do. The operation underscored a critical shift in the threat landscape, where user vigilance became more important than ever, even when interacting with services from reputable technology companies. The incident served as a stark reminder that as digital tools become more integrated into our problem-solving routines, the avenues for exploitation expand in parallel. Ultimately, this attack highlighted a new front in the ongoing cybersecurity battle, forcing security professionals and platform developers to reconsider the potential for abuse within collaborative and open-ended systems.
