Hiding in GitHub

June 23, 2025, 11:09 p.m.

Description

An AMOS malware campaign has been discovered utilizing GitHub repositories to distribute malicious files. The attackers created a fake Ledger Live app that prompts users to enter their secret phrases, which are then exfiltrated. The malware uses obfuscation techniques, including base64 encoding and custom XOR operations. The campaign targets cryptocurrency users, specifically those using hardware wallets. The malware is distributed through DMG files and ZIP archives, containing both x64 and ARM64 versions of AMOS. The attackers use multiple domains for command and control, and the malware performs checks to detect virtual environments.

External References

https://medium.com/walmartglobaltech/amos-hiding-in-github-199eabea6605
https://otx.alienvault.com/pulse/6855b5c3b1b7afa76a4cd25d
Tags
obfuscation
cryptocurrency
stealer
macos
github
amos
ledger
2025-06-20
hardware-wallet

Date

  • Created: June 20, 2025, 7:25 p.m.
  • Published: June 20, 2025, 7:25 p.m.
  • Modified: June 23, 2025, 11:09 p.m.

Indicators

  • d46bbb399b19e476cc9c09db4b6a42fe4741439c88bafb8e6d9ed47061f2d315
  • 9f8c5612c6bfe7ab528190294a9d5eca9e7dec3a7131463477ae103aeec5703b
  • 2b7e58d66e0d3f55c4a3e0e23ca51b2e13e654874379fb57c63ae6af9167c0b5
  • window.location.search
Download all indicators here!

Attack Patterns

  • AMOS