Dangerous ChatGPT and Grok malware found: What you need to know and tips to stay safe

ChatGPT and Grok are being used for malware attacks

OpenAI’s ChatGPT platform is reportedly being used by cybercriminals to install data-stealing malware (“infostealer”) on devices. According to a report by Kaspersky, a new ChatGPT-based malware campaign related to installing OpenAI’s Atlas browser for macOS is doing the rounds. Hackers are using paid search ads on Google to lure internet users into installing the malware through ChatGPT.

As per a report by Huntress, Grok is also being misused along with ChatGPT to deliver poisoned search results for troubleshooting queries like "how to delete system data on Mac" and "clear disk space on macOS."

Here is how the ChatGPT-based cyberattack works. If you search for “chatgpt atlas” on Google, there are high chances that the first sponsored link that comes up shows you a webpage with the title “ChatGPT™ Atlas for macOS – Download ChatGPT Atlas for Mac”.

Clicking that link (you should not click such sponsored links, by the way) takes you to legitimate chatgpt.com, and there you will see a very short version of an installation guide for the “Atlas browser” masquerading as the real thing. Beware of this installation guide and do not follow the instructions that ask you to copy and paste a certain code.

Additonally, just scan for a message that shows at the top of the chat. It could very well be “This is a copy of a conversation between ChatGPT & anonymous”, which means that it is a chat between an anonymous person with ChatGPT. The private chat could very well have been made public via the Share feature. Any link to shared chats begins with chatgpt.com/share/.

How malware is being distributed via ChatGPT

This is a malware installation guide for an “infostealer” and not the one that installs the Atlas browser. This ChatGPT-based malware guide would ask you to copy, paste, and execute a command in your Mac's Terminal and enable all permissions; if you do that, then the "Atomic macOS Stealer" (AMOS) infostealer will get installed on your system and steal your data.

Apparently, the malicious actors used prompt engineering to create the malware installation guide, deleted the preceding dialogue and made it public.

1. Do not click on device troubleshooting-related sponsored search results on Google, other search engines, as well as on social media platforms.
2. Do not use AI to troubleshoot technical issues with your device.
3. If you don’t understand instructions for your tech-based query to an LLM, do not follow them.
4. Even if a trusted search engine or LLM asks you to execute commands on your device using PowerShell or Terminal, there’s a high risk that it has come from malicious actors.