AI-coded malware arrives on the Mac through fake Grok AI app

Mosyle has identified a macOS malware campaign that uses generative AI-assisted code and spreads through a fake AI app download.

The Apple device management firm shared details of the malware named the campaign SimpleStealth. The attack spreads through a fake website posing as the Grok AI app and tricks users into downloading a malicious macOS installer.

The fake Grok app is distributed through a look-alike website rather than the Mac App Store. According to Mosyle, attackers used the domain xaillc[.]com to impersonate the Grok AI app and prompt users to download a malicious macOS installer named Grok.dmg.

Grok is an AI chatbot developed by xAI and integrated with the X social platform. The app is marketed as a conversational assistant that answers questions, analyzes posts, and generates text.

The app looks and behaves like legitimate software while hidden processes quietly run in the background.

At the time of discovery, Mosyle says the malware went undetected by major antivirus engines. The infection relies on familiar social engineering, prompting users for their system password during what appears to be a routine setup step.

Once that access has been achieved, the malware bypasses macOS quarantine protections and stage its real payload.

Stealth mining hidden behind a fake AI app

Once installed, SimpleStealth deploys a Monero cryptocurrency miner built to stay out of sight. Mining activity only begins when the Mac has been idle for at least a minute and stops as soon as the user returns.

The miner also disguises itself as common macOS system processes such as kernel_task and launchd. That camouflage makes abnormal behavior harder to spot using basic system monitoring tools.

Mosyle's researchers say the malware code shows clear signs of AI assistance in its structure and comments. The scripts include verbose explanations, repetitive logic, and a mix of English and Brazilian Portuguese.

Those patterns closely match output commonly produced by large language models.

The finding, reported by 9to5Mac, adds weight to concerns that generative AI is speeding up malware development by lowering the technical barrier for attackers. Mosyle warns this shift could lead to a faster cycle of new macOS threats, even if many individual samples remain relatively simple.

How Mac users can reduce their risk

Mosyle advises users to avoid downloading apps from third-party websites, particularly pages that mimic well-known services. Software should be installed only from the Mac App Store or directly from trusted developers using verified domains.

Apple's built-in security protections provide an important baseline, but they are not foolproof. Users should be especially cautious when an app asks for a system password during setup, particularly if the request seems unrelated to the app's main purpose.

For organizations, device management tools and behavioral monitoring can surface suspicious activity traditional antivirus software often misses. But the gap is likely to widen as AI-assisted malware becomes more common.

AppleInsider has contacted Mosyle for more information.