macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

A new variant of SHub Stealer dubbed 'Reaper' targets macOS users through fake WeChat and Miro installers, employing sophisticated multi-stage delivery chains that spoof Apple, Google, and Microsoft services. The malware leverages the applescript:// URL scheme to bypass Terminal-based defenses, conducting extensive fingerprinting and anti-analysis checks before execution. Reaper harvests browser credentials, cryptocurrency wallets, developer configurations, iCloud data, and Telegram sessions. It includes an AMOS-style document theft module targeting files under 150MB with chunked uploads. The variant establishes persistence through a fake Google Software Update LaunchAgent and installs a backdoor for remote code execution. The infection specifically avoids CIS regions and employs extensive anti-analysis techniques including WebGL fingerprinting, VM detection, and DevTools interference.

Pulse ID: 6a0b51f39a34872f37d37c9f
Pulse Link: https://otx.alienvault.com/pulse/6a0b51f39a34872f37d37c9f
Pulse Author: AlienVault
Created: 2026-05-18 17:52:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #BackDoor #Browser #Cloud #CyberSecurity #Google #InfoSec #Mac #MacOS #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #Telegram #bot #cryptocurrency #AlienVault

Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica...

Pulse ID: 6a01c2363e7f67fcbed473cb
Pulse Link: https://otx.alienvault.com/pulse/6a01c2363e7f67fcbed473cb
Pulse Author: AlienVault
Created: 2026-05-11 11:49:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #CryptoMiner #CyberSecurity #Encryption #HuggingFace #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #SupplyChain #Trojan #Windows #bot #AlienVault

Microsoft researchers warn of a new #ClickFix campaign targeting macOS with fake guides on Medium and Craft to deploy AMOS and SHub Stealer via Terminal commands.

Read: https://hackread.com/fake-macos-troubleshooting-sites-steal-icloud-clickfix/

#CyberSecurity #macOS ##AMOS #SHubStealer #Scam

📢 Campagne ClickFix macOS : trois vagues d'infostealers via fausses commandes Terminal
📝 ## 🔍 Contexte

Publié le 6 mai 2026 par la Microsoft Defender Security Resea...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-08-campagne-clickfix-macos-trois-vagues-d-infostealers-via-fausses-commandes-terminal/
🌐 source : https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
#_mainhelper #AMOS #Cyberveille

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

AMOS Stealer delivered via Cursor AI agent session

Pulse ID: 69f19249610906a8b5470a4b
Pulse Link: https://otx.alienvault.com/pulse/69f19249610906a8b5470a4b
Pulse Author: Tr1sa111
Created: 2026-04-29 05:08:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

Video-Tutorial: AMOS hardware sprites & colour palette management
In his latest AMOS video, @yawning_angel explores hardware sprites and demonstrates how to display 32 colours on a 16-colour screen using a hardware sprite.

https://www.amiga-news.de/en/news/AN-2026-04-00130-EN.html

#Amiga #AMOS #video #tutotrial

AMOS Stealer delivered via Cursor AI agent session

On April 23, 2026, Field Effect MDR identified AMOS Stealer malware delivered through a novel technique exploiting Cursor AI agent sessions running Claude Code. The attack employed social engineering to manipulate operators into prompting the AI agent to download and execute malicious AppleScript loaders. The heavily obfuscated scripts performed sandbox evasion checks, collected sensitive data including credentials, SSH keys, browser data, and cryptocurrency wallets, then exfiltrated compressed archives to remote servers within two minutes. The malware prompted users for local account credentials through fake macOS system dialogs, subsequently using elevated permissions to install persistent implants masquerading as legitimate system services. This delivery mechanism makes detection challenging as malicious commands blend with typical agentic coding behavior, representing an evolution in AMOS Stealer tactics beyond traditional SEO poisoning methods.

Pulse ID: 69ec44ff58f20f2cb01e0a1c
Pulse Link: https://otx.alienvault.com/pulse/69ec44ff58f20f2cb01e0a1c
Pulse Author: AlienVault
Created: 2026-04-25 04:37:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #CyberSecurity #ICS #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #SEOPoisoning #SSH #SocialEngineering #bot #cryptocurrency #AlienVault

Monday Miscellany!

This week:
- #oppression and #rebellion in #Amos
- giving #liberally according to #Paul
- #Bible readings
- #cat tax
- question: #hymns and #giving

Please read, share, and subscribe!

https://open.substack.com/pub/deverbovitae/p/monday-miscellany-463?r=14n9qk&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

#Amos indicted the #elite women and the religious service of Israel. #Judgment was coming. It would not be pleasant.

04.19 | The Voice 16.16 | #Oppression and #Rebellion | Amos 4:1-5
https://www.venicechurchofchrist.org/voice/oppressionrebellion/