@neurovagrant I made a fun 'crystal ball' attribution on some activity last week. When that turned into a 'hands down, no question, smoking gun' attribution this week, NGL, my first thought was to the :got-em: emoji in some certain relevant circles 
RecklessPush38671
- 37 Followers
- 162 Following
- 215 Posts
Cyber threat intelligence analyst. Former threat hunter. Former MDR. Former cyber operations. Perpetual screwball. Opinions are my own. I may share my memes, though.
@neurovagrant You appealed to my boredom and I couldn't resist 😅
I'm not familiar with the earlier stages, but that bin.dreatrithoo[.]online page is a Tycoon 2fa phishing-as-a-service page. Same with those 'Finquick' and 'Flowguide' pages in your results. Tons of 'em out there. Easily the biggest phishing platform out there. Plenty of pivoting potential.
@jtig I was using URLScan Pro. This campaign has come up in the past at work and I've gotten pretty good at finding these pages using URLscan.
FWIW, this seems to be the same campaign that Huntress wrote about last month. The early stages of the attack are different but the rest of it looks to be the same. They go into some good detail about the malware, too.
https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust
AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat | Huntress
Attackers are exploiting user trust in AI and aggressive SEO to deliver an evolved Atomic macOS Stealer. Learn why this social engineering tradecraft bypasses traditional network controls and the future of macOS infostealer defense.
@jtig Here's a few more that are probably from the same campaign. FYI.
hxxps[:]//osnoebeetleking8afm25[.]github[.]io/apremiumgft2025
hxxps[:]//mendyo541wwo5x[.]github[.]io/apremimgift2025
hxxps[:]//darkangeltkyxs[.]github[.]io/mocos-preml-gift2025
hxxps[:]//sandstormfontrihar[.]github[.]io/mocs-premlms-gift2025
hxxps[:]//hardskill1973njeuy[.]github[.]io/mocos-prmlms-gift2025
hxxps[:]//dagger2009hmuuf[.]github[.]io/moos-premus-gift2025
@briankrebs One of the laziest login panel hunts ever. 2/10
hxxps[:]//canadablissherbals[.]co/login
hxxps[:]//documentshieldattorneys.com/login
@infoseclogger There's some hiking trails on the east end of the park. I never hiked them so I don't know whether they'd be worth the trek out there.
The Historic Columbia River Highway east of Portland is also really nice (if it's not too close to Portland). It's nice if you can catch it when there isn't much traffic. The Vista House alone almost makes it worth the trip.
@infoseclogger If you're into camping I'd maybe throw in a suggestion to check out Steamboat Rock state park (near Grand Coulee). The campgroud itself is nice and the canyon it sits in is just gourgeous. Feels more like it should be in Nevada than Washington state.
@GossiTheDog When I set out to find more of the webpages in this campaign, I definitely didn't expect to find a fake Xhamster porn site variant 
hxxps[:]//fcontrols[.]pro/xxx.html
(Naughty bits are blurred, but you still probably don't want to view this at work.)
The fullscreen fake Windows updates gets triggered by clicking on the fake 'Xhamster wants to show notifications' dialog box.
Didn't have this on my bingo card today.
@McsaMatt Oh I watch this one real closely. Glad to hear I'm not the only one 