The "Hiding in GitHub" campaign involves the AMOS malware family leveraging GitHub repositories to distribute malicious payloads targeting macOS users, specifically cryptocurrency holders using hardware wallets. The attackers masquerade as a legitimate Ledger Live application, a popular interface for managing Ledger hardware wallets, to trick victims into entering their secret recovery phrases. These phrases are then exfiltrated to attacker-controlled infrastructure. The malware is distributed primarily via DMG files and ZIP archives containing both x64 and ARM64 binaries, ensuring compatibility with a broad range of macOS devices. To evade detection, the malware employs multiple obfuscation techniques, including base64 encoding and custom XOR operations, complicating static and dynamic analysis. It also performs environment checks to detect virtual machines or sandbox environments, likely to avoid analysis by security researchers. Command and control (C2) communications are conducted over multiple attacker-controlled domains, enhancing resilience and complicating takedown efforts. The campaign uses several MITRE ATT&CK techniques such as credential dumping (T1056.001), masquerading (T1036.005), user execution (T1204.002), hardware wallet tampering (T1553.002), command execution (T1059.002), obfuscated files or information (T1027), and data exfiltration over C2 channels (T1071.001). Although no CVE or known exploits in the wild are reported, the campaign’s sophistication and targeting of high-value cryptocurrency assets make it a significant threat to macOS users involved in crypto asset management.

European organizations and individuals involved in cryptocurrency trading, asset management, or development of blockchain technologies face substantial risks from this campaign. The theft of secret recovery phrases can lead to irreversible loss of cryptocurrency assets, financial damage, and reputational harm. Organizations supporting cryptocurrency services or hardware wallet distribution may experience indirect impacts through customer trust erosion and potential regulatory scrutiny. The use of GitHub as a distribution vector also raises concerns about supply chain security and the potential for similar tactics to be adopted against other software projects. Given the campaign targets macOS platforms, organizations with macOS endpoints, especially those used by developers or crypto professionals, are at risk. The malware’s evasion techniques and multi-architecture support increase the likelihood of successful infection and persistence. Additionally, the campaign’s use of multiple C2 domains complicates incident response and containment efforts. While the campaign currently targets individual users primarily, the potential for lateral movement or broader organizational compromise exists if infected devices are connected to corporate networks.

1. Implement strict verification procedures for downloading cryptocurrency-related applications, especially Ledger Live or similar wallet management software. Users should only download software from official vendor websites or verified app stores rather than third-party repositories like GitHub. 2. Employ endpoint protection solutions capable of detecting obfuscated malware and monitor for suspicious behaviors such as unusual network connections to multiple unknown domains. 3. Enforce application whitelisting on macOS endpoints to prevent execution of unauthorized DMG or ZIP files containing untrusted binaries. 4. Educate users about the risks of entering secret recovery phrases into any application other than the official wallet software and emphasize the irreversibility of cryptocurrency transactions. 5. Monitor network traffic for connections to known malicious C2 domains associated with this campaign and block them at the perimeter. 6. Use threat intelligence feeds to update detection signatures with the provided file hashes and indicators of compromise. 7. Conduct regular audits of GitHub repositories used internally or by partners to detect any unauthorized or malicious uploads. 8. Deploy macOS-specific security tools that can detect virtual environment evasion attempts and anomalous process behaviors. 9. Encourage multi-factor authentication and hardware security modules for organizational cryptocurrency holdings to reduce reliance on secret phrases alone. 10. Maintain incident response plans that include procedures for cryptocurrency theft scenarios and coordinate with law enforcement where appropriate.