Fake ChatGPT, Grok apps spreading malware: How to stay safe
16 Dec 2025

Cybercriminals are using OpenAI's ChatGPT, as reported by Kaspersky, and xAI's Grok, as reported by Huntress, to spread malware. The malicious software is designed to steal sensitive data from users' devices.

The new attack campaign involves a fake installation guide for the "Atlas browser" for macOS via ChatGPT, which actually leads to malware installation.

Hackers are promoting this malicious activity through paid search ads on Google, luring unsuspecting internet users into downloading the malware.

Grok misused for delivering poisoned search results
Search manipulation

Along with ChatGPT, Grok is also being exploited by cybercriminals to deliver poisoned search results.

These are for troubleshooting queries such as "how to delete system data on Mac" and "clear disk space on macOS."

This tactic is another way hackers are trying to trick users into downloading malware onto their devices.

How the ChatGPT-based cyberattack works
Attack mechanism

The ChatGPT-based cyberattack works by manipulating search results.

If you search for "chatgpt atlas" on Google, a sponsored link likely leads to a webpage titled "ChatGPT(tm) Atlas for macOS - Download ChatGPT Atlas for Mac."

Clicking this link takes you to chatgpt.com, where an installation guide for the "Atlas browser" is presented as real.

However, following these instructions could lead to malware installation on your device.

Warning signs of a malware installation guide
Malware indicators

A telltale sign of a malware installation guide is the message at the top of the chat.

It could read "This is a copy of a conversation between ChatGPT & anonymous," indicating that an anonymous person has chatted with ChatGPT.

Any link to shared chats starts with chatgpt.com/share/. This is usually a malware installation guide for an "infostealer," not one that installs the Atlas browser.

Tips to stay safe from ChatGPT and Grok malware
Safety measures

To protect yourself from these cyber threats, avoid clicking on sponsored search results related to device troubleshooting.

If you don't understand instructions for a tech-based query to an LLM, don't follow them blindly.

Even if a trusted search engine or LLM asks you to execute commands on your device using PowerShell or Terminal, be cautious as it could be a trap set by malicious actors.