Amos

Malware Profile Updated 18 days ago

Download STIX

Preview STIX

AMOS is a malicious software (malware) that targets Mac systems, with the ability to steal passwords, personal files, and cryptocurrency wallet information. It was first identified as part of the ClearFake campaign, which aimed to spread the macOS AMOS information stealer. The malware can infect both Intel and Apple M1 Macs, indicating a broad vulnerability among users. Once installed, typically through deceptive downloads offered on various project webpages, it acts as an "infostealer," compromising user data and operations. The threat actor known as “markopolo” has been identified as a significant operator in the distribution of AMOS, using a purported virtual meeting software called Vortax to deliver three potent information stealers—Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS). This campaign has far-reaching implications for macOS security, suggesting a potential surge in AMOS attacks. Research indicates that other operators of AMOS will likely model future campaigns after markopolo's success, potentially leading to a wider proliferation of AMOS in the wild. Tools such as Recorded Future Identity Intelligence and Brand Intelligence provide insights into compromised credentials from AMOS infostealer logs, database breaches, and combo lists. These tools, combined with Recorded Future Network Intelligence, help identify malicious domains and IP addresses associated with AMOS builds. Clients can use Recorded Future Malware Intelligence to identify and mitigate threats from malicious macOS applications, analyzing connections to AMOS C2 infrastructure. A previous report by Insikt Group observed a 79% increase in mentions of macOS malware and exploit kits between 2022 and 2023, a trend likely accelerated by the increased use of the AMOS infostealer.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Atomic Stealer	4	Atomic Stealer is a malicious software (malware) known for its ability to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. It is designed to steal personal information, disrupt operations, and even hold data hostage for ransom. A new version
Atomic Macos Stealer	3	The Atomic macOS Stealer (AMOS) is a powerful new malware that emerged in early 2023, targeting Apple users. It was discovered by Cyble Research and Intelligence Labs (CRIL) in April of the same year when it was advertised for sale on Telegram. AMOS can steal various types of information from infect
Amos Stealer	3	AMOS Stealer is a type of malware that has been causing significant concern due to its adaptability and ability to leverage legitimate services for malicious purposes. This new variant of the AMOS Stealer bears a high degree of similarity to the 2nd variant of RustDoor, particularly in its use of Ap
Clearfake	3	ClearFake is a malicious software that has been identified as a fake browser update activity cluster, compromising legitimate websites with harmful HTML and JavaScript. The malware was first observed by Proofpoint in early April, employing a cut-and-paste technique for its delivery. ClearFake's camp
Vidar	2	Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
Stealc	1	Stealc is a malicious software (malware) that specifically targets browser extensions and authenticators by password managers, growing in popularity on the dark web since its discovery in early 2023. It has been associated with significant cyber-attacks, such as the $7 million heist on the Solana bl
setup.dmg	1	None

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Macos

Windows

Infostealer

Payload

Malvertising

Android

Malwarebytes

Safari

Vulnerability

Exploit

1password

Chrome

Israeli

Fbi

Encryption

Bitdefender

Maas

Ransom

Phishing

Docker

Israel

Gbhackers

Google

Dropper

Backdoor

Antivirus

Trojan

Domains

Credentials

Linux

Rat

Cybercrime

Zyxel

Ransomware

Github

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lumma	Unspecified	2	Lumma is a prominent malware, particularly known as an information stealer. It is delivered through various means, including suspicious downloads, emails, and websites. In one instance observed by Palo Alto Networks’ Unit 42, Lumma was sent over Latrodectus C2 in an infection chain. In another campa
Rhadamanthys	Unspecified	2	Rhadamanthys is a malicious software (malware) that has been leveraged by the threat actor group TA547 to target German organizations. The malware, which infiltrates systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or hold data for ransom
Akira	Unspecified	1	Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
Netsupport Rat	Unspecified	1	NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
Fakesg	Unspecified	1	FakeSG is a recently identified malware that uses sophisticated obfuscation and delivery techniques, making it a serious threat. The malware mimics the notorious SocGholish distribution campaign, hence its name - "FakeSG". It has different browser templates, altering its appearance based on the vict
Fakebat	Unspecified	1	FakeBat is a notable malware variant that has been increasingly involved in malvertising campaigns since at least November 2022, as per an early 2023 Intel471 report. This malicious software exploits and damages computers or devices by infiltrating systems through suspicious downloads, emails, or we
Macstealer	Unspecified	1	MacStealer is a malicious software (malware) first observed in March 2023, specifically designed to exploit macOS devices ranging from Catalina (macOS 10) to Ventura (macOS 13), including those using Intel M1 and M2 CPUs. The malware uses the native macOS osascript utility to mimic a legitimate syst
Crossrider	Unspecified	1	Crossrider is a type of malware, specifically an adware variant, that targets and exploits computer systems to cause harm. It infiltrates systems through dubious downloads, emails, or websites, often without the user's knowledge. Once inside, Crossrider can disrupt operations, steal personal informa
Risepro	Unspecified	1	RisePro is a type of malware, specifically an info-stealer, designed to infiltrate and damage computer systems. It operates by exploiting vulnerabilities in a device, often through suspicious downloads, emails, or websites, typically without the user's knowledge. Once inside, RisePro can disrupt ope
Atomic Macos Stealer Amos	Unspecified	1	In April 2023, Cyble Research and Intelligence Labs (CRIL) discovered a new malware named Atomic macOS Stealer (AMOS) being advertised for sale on a Telegram channel. The malware was found to be part of a larger operation involving several other variants such as Vidar, Lumma, and Octo. These threat

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
ELECTRUM	Unspecified	2	Electrum, a threat actor identified in cyberattacks against Ukraine on February 1, 2022, is known for its Bitcoin-themed attacks. These attacks often involve the use of PDF delivery documents referencing Electrum Bitcoin wallets, similar to those seen in subsequent attacks in April. The initial load

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Atomic Macos Stealer (Amos	Unspecified	4	None
Variant of Rustdoor	Unspecified	1	None
CVE-2023-27532	Unspecified	1	CVE-2023-27532 is a high-severity vulnerability discovered in Veeam's Backup & Replication software. This flaw, disclosed in March 2023, can be exploited to breach backup infrastructure hosts. Despite its serious implications, it was not added to the Known Exploited Vulnerabilities (KEV) list until

Source Document References

Information about the Amos Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Recorded Future	18 days ago	Cybercriminal Campaign Spreads Infostealers, Highlighting Risks to Web3 Gaming \| Recorded Future
Recorded Future	18 days ago	The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications \| Recorded Future
InfoSecurity-magazine	a month ago	Fake Meeting Software Spreads macOS Infostealer
Recorded Future	a month ago	The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications \| Recorded Future
Securityaffairs	a month ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	GitCaught campaign relies on Github and Filezilla to deliver multiple malware
InfoSecurity-magazine	2 months ago	Russian Actors Weaponize Legitimate Services in Multi-Malware Attack
Securityaffairs	3 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Recorded Future	4 months ago	Cybercriminal Campaign Spreads Infostealers, Highlighting Risks to Web3 Gaming \| Recorded Future
Securityaffairs	4 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	4 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	4 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs	4 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini
DARKReading	4 months ago	Windows SmartScreen Bypass Flaw Exploited to Drop DarkGate RAT
CERT-EU	5 months ago	Implement Automated Threat Intelligence for Improved Incident Response \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	5 months ago	Celebrating Trailblazing Leaders in Cybersecurity \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Securityaffairs	5 months ago	Security Affairs newsletter Round 462 by Pierluigi Paganini