AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers
A sophisticated campaign using typo-squatted 'Spectrum' domains has been uncovered, spreading a new Atomic macOS Stealer (AMOS) variant. The attack, disguised as a CAPTCHA verification, employs dynamic payloads based on the victim's operating system. For macOS users, a malicious shell script steals system passwords and downloads an AMOS variant. The script uses native macOS commands to harvest credentials, bypass security, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. The campaign's delivery sites show flawed logic, indicating hasty assembly. This multi-platform social engineering attack targets both consumer and corporate users, highlighting an increasing trend in cross-platform threats.
AI Analysis
Technical Summary
This threat describes a sophisticated cyber campaign leveraging typo-squatted domains mimicking legitimate 'Spectrum' branded websites to distribute a new variant of the Atomic macOS Stealer (AMOS). The attackers employ social engineering by presenting victims with fake CAPTCHA verifications to trick them into executing malicious payloads. The campaign dynamically delivers payloads tailored to the victim's operating system, with a primary focus on macOS users. For macOS, the attack uses a malicious shell script that exploits native macOS commands to harvest system passwords and credentials, bypass security controls, and download and execute the AMOS stealer variant. The presence of Russian-language comments in the source code suggests involvement of Russian-speaking cybercriminals. Although the delivery sites show some flawed logic, indicating a hastily assembled campaign, the attack remains effective due to its multi-platform social engineering approach targeting both consumer and corporate users. The campaign employs multiple MITRE ATT&CK techniques such as credential dumping (T1555), command and scripting interpreter usage (T1059), user execution (T1204), and obfuscated files or information (T1027). Indicators of compromise include suspicious domains like applemacios.com and spectrum-ticket.net used to host or deliver malicious content. While no known exploits are currently reported in the wild, the campaign's dynamic payload delivery and social engineering increase its potential reach and effectiveness.
Potential Impact
For European organizations, this campaign poses a significant risk, especially to macOS users within corporate and consumer environments. The theft of system passwords and credentials can lead to unauthorized access to sensitive systems, data breaches, and lateral movement within networks. Given the campaign’s use of social engineering and dynamic payloads, even well-defended environments may be vulnerable if users are deceived into executing malicious scripts. Credential compromise can facilitate further attacks such as ransomware deployment, espionage, or data exfiltration. The multi-platform nature means that while macOS users are primarily targeted, other operating systems may also be affected, broadening the potential impact. The use of typo-squatted domains increases phishing risks and brand impersonation, undermining trust in legitimate Spectrum-branded services. Organizations with remote or hybrid workforces using macOS devices face elevated risks of credential theft and subsequent compromise. Additionally, the involvement of Russian-speaking actors may raise geopolitical concerns, particularly for sectors critical to national infrastructure or sensitive industries in Europe.
Mitigation Recommendations
1. Implement strict domain filtering and DNS monitoring to detect and block access to known typo-squatted domains such as applemacios.com, spectrum-ticket.net, panel-spectrum.net, and others identified in the campaign. 2. Deploy advanced endpoint detection and response (EDR) solutions on macOS devices capable of detecting suspicious shell script executions and anomalous use of native macOS commands related to credential harvesting. 3. Educate users on social engineering risks, emphasizing caution around unexpected CAPTCHA prompts or unsolicited verification requests, and conduct targeted phishing simulations reflecting this campaign’s tactics. 4. Enforce multi-factor authentication (MFA) across all systems to mitigate the impact of credential theft. 5. Regularly audit and monitor authentication logs and credential usage for signs of compromise or lateral movement within networks. 6. Apply least privilege principles to limit script execution capabilities and access to sensitive data on macOS endpoints. 7. Use application whitelisting on macOS devices to prevent unauthorized or unknown script execution. 8. Maintain up-to-date threat intelligence feeds to quickly identify and respond to emerging indicators related to this campaign. 9. For organizations with macOS fleets, deploy specialized macOS security tools designed to detect and block stealer malware behaviors. 10. Establish incident response plans that include rapid containment and remediation steps for credential theft incidents.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Finland, Denmark, Ireland
Indicators of Compromise
- hash: eaedee8fc9fe336bcde021bf243e332a
- domain: applemacios.com
- domain: panel-spectrum.net
- domain: rugmel.cat
- domain: spectrum-ticket.net
AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers
Description
A sophisticated campaign using typo-squatted 'Spectrum' domains has been uncovered, spreading a new Atomic macOS Stealer (AMOS) variant. The attack, disguised as a CAPTCHA verification, employs dynamic payloads based on the victim's operating system. For macOS users, a malicious shell script steals system passwords and downloads an AMOS variant. The script uses native macOS commands to harvest credentials, bypass security, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. The campaign's delivery sites show flawed logic, indicating hasty assembly. This multi-platform social engineering attack targets both consumer and corporate users, highlighting an increasing trend in cross-platform threats.
AI-Powered Analysis
Technical Analysis
This threat describes a sophisticated cyber campaign leveraging typo-squatted domains mimicking legitimate 'Spectrum' branded websites to distribute a new variant of the Atomic macOS Stealer (AMOS). The attackers employ social engineering by presenting victims with fake CAPTCHA verifications to trick them into executing malicious payloads. The campaign dynamically delivers payloads tailored to the victim's operating system, with a primary focus on macOS users. For macOS, the attack uses a malicious shell script that exploits native macOS commands to harvest system passwords and credentials, bypass security controls, and download and execute the AMOS stealer variant. The presence of Russian-language comments in the source code suggests involvement of Russian-speaking cybercriminals. Although the delivery sites show some flawed logic, indicating a hastily assembled campaign, the attack remains effective due to its multi-platform social engineering approach targeting both consumer and corporate users. The campaign employs multiple MITRE ATT&CK techniques such as credential dumping (T1555), command and scripting interpreter usage (T1059), user execution (T1204), and obfuscated files or information (T1027). Indicators of compromise include suspicious domains like applemacios.com and spectrum-ticket.net used to host or deliver malicious content. While no known exploits are currently reported in the wild, the campaign's dynamic payload delivery and social engineering increase its potential reach and effectiveness.
Potential Impact
For European organizations, this campaign poses a significant risk, especially to macOS users within corporate and consumer environments. The theft of system passwords and credentials can lead to unauthorized access to sensitive systems, data breaches, and lateral movement within networks. Given the campaign’s use of social engineering and dynamic payloads, even well-defended environments may be vulnerable if users are deceived into executing malicious scripts. Credential compromise can facilitate further attacks such as ransomware deployment, espionage, or data exfiltration. The multi-platform nature means that while macOS users are primarily targeted, other operating systems may also be affected, broadening the potential impact. The use of typo-squatted domains increases phishing risks and brand impersonation, undermining trust in legitimate Spectrum-branded services. Organizations with remote or hybrid workforces using macOS devices face elevated risks of credential theft and subsequent compromise. Additionally, the involvement of Russian-speaking actors may raise geopolitical concerns, particularly for sectors critical to national infrastructure or sensitive industries in Europe.
Mitigation Recommendations
1. Implement strict domain filtering and DNS monitoring to detect and block access to known typo-squatted domains such as applemacios.com, spectrum-ticket.net, panel-spectrum.net, and others identified in the campaign. 2. Deploy advanced endpoint detection and response (EDR) solutions on macOS devices capable of detecting suspicious shell script executions and anomalous use of native macOS commands related to credential harvesting. 3. Educate users on social engineering risks, emphasizing caution around unexpected CAPTCHA prompts or unsolicited verification requests, and conduct targeted phishing simulations reflecting this campaign’s tactics. 4. Enforce multi-factor authentication (MFA) across all systems to mitigate the impact of credential theft. 5. Regularly audit and monitor authentication logs and credential usage for signs of compromise or lateral movement within networks. 6. Apply least privilege principles to limit script execution capabilities and access to sensitive data on macOS endpoints. 7. Use application whitelisting on macOS devices to prevent unauthorized or unknown script execution. 8. Maintain up-to-date threat intelligence feeds to quickly identify and respond to emerging indicators related to this campaign. 9. For organizations with macOS fleets, deploy specialized macOS security tools designed to detect and block stealer malware behaviors. 10. Establish incident response plans that include rapid containment and remediation steps for credential theft incidents.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers"]
- Adversary
- null
- Pulse Id
- 68409d645a8736dcd88da7d5
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hasheaedee8fc9fe336bcde021bf243e332a | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainapplemacios.com | — | |
domainpanel-spectrum.net | — | |
domainrugmel.cat | — | |
domainspectrum-ticket.net | — |
Threat ID: 6840ac70182aa0cae2bd7373
Added to database: 6/4/2025, 8:28:32 PM
Last enriched: 7/6/2025, 9:42:36 PM
Last updated: 7/31/2025, 7:25:27 AM
Views: 15
Related Threats
Elastic EDR 0-day: Microsoft-signed driver can be weaponized to attack its own host
MediumEncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumThreat Actor Profile: Interlock Ransomware
Medium'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumThe Hidden Infrastructure Behind VexTrio's TDS
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.