Google's search results continue to promote malicious content that tricks users into installing AMOS stealer malware on their Macs, with attackers using Google Docs, Business pages, and poisoned Medium articles to distribute obfuscated commands.
Google's search results continue to serve as a distribution channel for malware targeting Mac users, with a new campaign delivering AMOS stealer malware through poisoned search results and compromised content platforms.
The Attack Vector
The latest campaign, discovered by Vladyslav Kolchin and reported by Olena of Clario, uses Google's own services to spread malicious content. Attackers are leveraging docs.google.com, business.google.com, and Medium articles to host links that lead to malware distribution pages. The attack follows a familiar pattern: users searching for legitimate Mac troubleshooting advice are presented with sponsored results that appear helpful but contain malicious payloads.
When searching for common Mac maintenance queries like "how to clear cache on macOS Tahoe," users may encounter sponsored results leading to Medium articles written under the guise of helpful guides. These articles contain instructions that appear to be legitimate terminal commands but are actually obfuscated malware delivery mechanisms.
How the Malware Works
The malicious payload uses base-64 encoding to hide its true purpose, a technique that has become increasingly common in macOS malware campaigns. When executed, the script downloads and installs AMOS (also known as SOMA), a sophisticated stealer that immediately begins harvesting user data.
The malware demonstrates unusual persistence, operating effectively even in locked-down virtual machine environments. Once installed, it creates several hidden files in the user's home directory:
.agent- An AppleScript designed to facilitate data theft.mainHelper- The primary Mach-O binary executable.pass- A plain text file containing the user's password
Beyond basic file theft, the malware specifically targets the Documents folder and requests access to Notes, attempting to exfiltrate sensitive personal and financial information.
The Pattern Continues
This attack closely mirrors a similar campaign from December 2025 that exploited ChatGPT's search results to distribute identical malware. The consistency in delivery methods and obfuscation techniques suggests the same threat actors may be behind both campaigns, simply adapting their approach to target different AI-powered search platforms.
Protecting Yourself
The fundamental issue is that users are being tricked into bypassing macOS's built-in security protections. Terminal is not designed to execute obfuscated commands from untrusted sources, and curl is being abused to download malware without quarantine attributes.
Key protective measures include:
- Critical evaluation of search results: Sponsored results are promoted for financial reasons, not necessarily because they're trustworthy
- Verification of sources: Look for URLs from recognized Mac specialist sites rather than generic content platforms
- Expansion of shortened links: Use trusted utilities like Link Unshortener from the App Store rather than potentially malicious third-party services
- Understanding commands before execution: Never paste terminal commands without understanding their full implications
- Recognition of obfuscation red flags: Base-64 encoding and curl commands should trigger immediate suspicion
The Broader Context
This campaign highlights the ongoing challenge of securing users against social engineering attacks that exploit legitimate platforms. Google's search results, Medium's publishing platform, and other trusted services are being weaponized because they provide credibility to malicious content.
The persistence of these attacks, despite previous coverage and awareness efforts, suggests that the economic incentives for malware distribution remain strong. As long as users continue to trust search results and follow instructions without verification, attackers will continue to exploit these trust relationships.
The irony of naming a malware campaign after Marek's disease, which affects chickens, isn't lost on security researchers who note that users are being "plucked" of their data through these sophisticated social engineering attacks.
For Mac users, the lesson remains consistent: trust must be earned through verification, not assumed through search engine placement or platform association. The convenience of following search results must be balanced against the critical need to validate sources and understand the implications of executing commands on your system.
Comments
Please log in or register to join the discussion