AMOS Stealer delivered via Cursor AI agent session
On April 23, 2026, Field Effect MDR identified AMOS Stealer malware delivered through a novel technique exploiting Cursor AI agent sessions running Claude Code. The attack employed social engineering to manipulate operators into prompting the AI agent to download and execute malicious AppleScript loaders. The heavily obfuscated scripts performed sandbox evasion checks, collected sensitive data including credentials, SSH keys, browser data, and cryptocurrency wallets, then exfiltrated compressed archives to remote servers within two minutes. The malware prompted users for local account credentials through fake macOS system dialogs, subsequently using elevated permissions to install persistent implants masquerading as legitimate system services. This delivery mechanism makes detection challenging as malicious commands blend with typical agentic coding behavior, representing an evolution in AMOS Stealer tactics beyond traditional SEO poisoning methods.
AI Analysis
Technical Summary
On April 23, 2026, Field Effect MDR detected AMOS Stealer malware delivered via a new technique exploiting Cursor AI agent sessions running Claude Code. The attack leverages social engineering to manipulate operators into prompting the AI agent to execute malicious AppleScript loaders. These heavily obfuscated scripts evade sandbox detection, harvest sensitive information including credentials, SSH keys, browser data, and cryptocurrency wallets, and exfiltrate compressed archives to remote servers within two minutes. The malware also uses fake macOS system dialogs to obtain local account credentials, then uses elevated permissions to install persistent implants masquerading as legitimate system services. This novel delivery mechanism blends malicious commands with typical AI agent coding behavior, making detection challenging and representing an evolution in AMOS Stealer delivery tactics beyond traditional SEO poisoning methods. Indicators include multiple IP addresses, domains, URLs, and file hashes associated with the malware infrastructure. No known exploits in the wild or vendor patches are currently documented.
Potential Impact
The malware harvests highly sensitive data including user credentials, SSH keys, browser data, and cryptocurrency wallets, enabling potential credential theft and financial loss. It achieves persistence on infected macOS systems by installing implants with elevated privileges disguised as legitimate services. The use of social engineering combined with AI agent exploitation complicates detection and response. The rapid exfiltration of compressed data within minutes increases the risk of significant data compromise before detection. This attack vector represents an advancement in AMOS Stealer tactics, increasing the threat to macOS users who interact with Cursor AI agent sessions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Given the lack of an official fix or vendor advisory, organizations should exercise caution when interacting with AI agent sessions, especially those running Claude Code or similar frameworks. Users should be trained to recognize social engineering attempts that prompt execution of scripts or commands. Monitoring for suspicious AppleScript execution and unusual network connections to the identified IPs and domains may help detect activity. Restricting the ability of AI agents to execute system-level scripts or commands can reduce risk. Incident response teams should leverage the provided indicators of compromise (IPs, domains, URLs, hashes) for detection and blocking. Stay updated with Field Effect and other vendor advisories for emerging patches or mitigations.
Indicators of Compromise
- ip: 45.94.47.204
- ip: 92.246.136.14
- domain: mpasvw.com
- domain: arkypc.com
- url: https://arkypc.com/n8n/update
- hash: 312147c0ae0d555a4d50fa627ff7d4f3
- hash: c54620dd3745fdeaff5ccc0db4132f11
- hash: 62360ea3b0030238b31dcae402f94c9c73474154
- hash: df297141e4676b40c29739033468d58163280067
- hash: 8ef98fd781a6f1869657fc1acbc9b43a228a99e6fa5fe39c47cce8ab58066596
- hash: c11bfc200c363ef76ad40b717b5a850daf699f6fa64a26a8ecf7848711bdbd9c
- url: https://arkypc.com/curl/
- url: https://lakhov.com/contact
- url: https://ouilov.com/zxc/kito
- domain: foto.gd
- domain: lakhov.com
- domain: ouilov.com
AMOS Stealer delivered via Cursor AI agent session
Description
On April 23, 2026, Field Effect MDR identified AMOS Stealer malware delivered through a novel technique exploiting Cursor AI agent sessions running Claude Code. The attack employed social engineering to manipulate operators into prompting the AI agent to download and execute malicious AppleScript loaders. The heavily obfuscated scripts performed sandbox evasion checks, collected sensitive data including credentials, SSH keys, browser data, and cryptocurrency wallets, then exfiltrated compressed archives to remote servers within two minutes. The malware prompted users for local account credentials through fake macOS system dialogs, subsequently using elevated permissions to install persistent implants masquerading as legitimate system services. This delivery mechanism makes detection challenging as malicious commands blend with typical agentic coding behavior, representing an evolution in AMOS Stealer tactics beyond traditional SEO poisoning methods.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
On April 23, 2026, Field Effect MDR detected AMOS Stealer malware delivered via a new technique exploiting Cursor AI agent sessions running Claude Code. The attack leverages social engineering to manipulate operators into prompting the AI agent to execute malicious AppleScript loaders. These heavily obfuscated scripts evade sandbox detection, harvest sensitive information including credentials, SSH keys, browser data, and cryptocurrency wallets, and exfiltrate compressed archives to remote servers within two minutes. The malware also uses fake macOS system dialogs to obtain local account credentials, then uses elevated permissions to install persistent implants masquerading as legitimate system services. This novel delivery mechanism blends malicious commands with typical AI agent coding behavior, making detection challenging and representing an evolution in AMOS Stealer delivery tactics beyond traditional SEO poisoning methods. Indicators include multiple IP addresses, domains, URLs, and file hashes associated with the malware infrastructure. No known exploits in the wild or vendor patches are currently documented.
Potential Impact
The malware harvests highly sensitive data including user credentials, SSH keys, browser data, and cryptocurrency wallets, enabling potential credential theft and financial loss. It achieves persistence on infected macOS systems by installing implants with elevated privileges disguised as legitimate services. The use of social engineering combined with AI agent exploitation complicates detection and response. The rapid exfiltration of compressed data within minutes increases the risk of significant data compromise before detection. This attack vector represents an advancement in AMOS Stealer tactics, increasing the threat to macOS users who interact with Cursor AI agent sessions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Given the lack of an official fix or vendor advisory, organizations should exercise caution when interacting with AI agent sessions, especially those running Claude Code or similar frameworks. Users should be trained to recognize social engineering attempts that prompt execution of scripts or commands. Monitoring for suspicious AppleScript execution and unusual network connections to the identified IPs and domains may help detect activity. Restricting the ability of AI agents to execute system-level scripts or commands can reduce risk. Incident response teams should leverage the provided indicators of compromise (IPs, domains, URLs, hashes) for detection and blocking. Stay updated with Field Effect and other vendor advisories for emerging patches or mitigations.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session"]
- Adversary
- null
- Pulse Id
- 69ec44ff58f20f2cb01e0a1c
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip45.94.47.204 | — | |
ip92.246.136.14 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainmpasvw.com | — | |
domainarkypc.com | — | |
domainfoto.gd | — | |
domainlakhov.com | — | |
domainouilov.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://arkypc.com/n8n/update | — | |
urlhttps://arkypc.com/curl/ | — | |
urlhttps://lakhov.com/contact | — | |
urlhttps://ouilov.com/zxc/kito | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash312147c0ae0d555a4d50fa627ff7d4f3 | — | |
hashc54620dd3745fdeaff5ccc0db4132f11 | — | |
hash62360ea3b0030238b31dcae402f94c9c73474154 | — | |
hashdf297141e4676b40c29739033468d58163280067 | — | |
hash8ef98fd781a6f1869657fc1acbc9b43a228a99e6fa5fe39c47cce8ab58066596 | — | |
hashc11bfc200c363ef76ad40b717b5a850daf699f6fa64a26a8ecf7848711bdbd9c | — |
Threat ID: 69ef2218ba26a39fba0e588f
Added to database: 4/27/2026, 8:45:12 AM
Last enriched: 4/27/2026, 9:00:07 AM
Last updated: 4/28/2026, 1:46:01 AM
Views: 26
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.