Date: 09/05/2025
Severity: Medium
Summary
Research has uncovered an AMOS (Atomic macOS Stealer) campaign targeting macOS users by disguising malware as “cracked” apps and tricking users into running malicious Terminal commands to bypass Gatekeeper. AMOS steals a wide range of sensitive data—including credentials, browser info, crypto wallets, keychain items, Telegram chats, and Apple Notes—posing serious risks like credential stuffing, financial theft, and deeper enterprise intrusions. Its use of rotating domains helps evade detection, and as macOS gains ground in enterprise environments, organizations must strengthen defenses through user education, endpoint monitoring, and network visibility.
Indicators of Compromise (IOC) List
URL/Domain | https://goatramz.com/get4/install.sh https://goatramz.com/get4/update https://sivvino.com https://letrucvert.com/get8/install.sh https://halesmp.com/zxc/app toutentris.com misshon.com ekochist.com im9ov070725iqu.com riv4d3dsr17042596.com dtxxbz1jq070725p93.cfd halesmp.com haxmac.cc jey90080425s.cfd x5vw0y8h70804254.cfd goipbp9080425d4.cfd |
Hash | aa534e2fc19c970adc6142cda3f0a3c4309d6e3e
df92d2aac76ad76edeeb5fade987e1111d2742e7
7a66c1a25b7caee9b6cc26a3199182379b6cdecc8196ac08be9fe03b4d193d6a
4a33e10c87795e93c10de3d1a59937909d0093cac937e2a09d3242e7b17a36ce
3ecf98f90cb170475eef315dad43e125b14757d7fbfdd213d5221c4e31467ee9
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "x5vw0y8h70804254.cfd" or siteurl like "x5vw0y8h70804254.cfd" or url like "x5vw0y8h70804254.cfd" or domainname like "https://sivvino.com" or siteurl like "https://sivvino.com" or url like "https://sivvino.com" or domainname like "https://letrucvert.com/get8/install.sh" or siteurl like "https://letrucvert.com/get8/install.sh" or url like "https://letrucvert.com/get8/install.sh" or domainname like "https://halesmp.com/zxc/app" or siteurl like "https://halesmp.com/zxc/app" or url like "https://halesmp.com/zxc/app" or domainname like "ekochist.com" or siteurl like "ekochist.com" or url like "ekochist.com" or domainname like "dtxxbz1jq070725p93.cfd" or siteurl like "dtxxbz1jq070725p93.cfd" or url like "dtxxbz1jq070725p93.cfd" or domainname like "https://goatramz.com/get4/update" or siteurl like "https://goatramz.com/get4/update" or url like "https://goatramz.com/get4/update" or domainname like "https://goatramz.com/get4/install.sh" or siteurl like "https://goatramz.com/get4/install.sh" or url like "https://goatramz.com/get4/install.sh" or domainname like "toutentris.com" or siteurl like "toutentris.com" or url like "toutentris.com" or domainname like "misshon.com" or siteurl like "misshon.com" or url like "misshon.com" or domainname like "im9ov070725iqu.com" or siteurl like "im9ov070725iqu.com" or url like "im9ov070725iqu.com" or domainname like "riv4d3dsr17042596.com" or siteurl like "riv4d3dsr17042596.com" or url like "riv4d3dsr17042596.com" or domainname like "halesmp.com" or siteurl like "halesmp.com" or url like "halesmp.com" or domainname like "haxmac.cc" or siteurl like "haxmac.cc" or url like "haxmac.cc" or domainname like "jey90080425s.cfd" or siteurl like "jey90080425s.cfd" or url like "jey90080425s.cfd" or domainname like "goipbp9080425d4.cfd" or siteurl like "goipbp9080425d4.cfd" or url like "goipbp9080425d4.cfd" |
Detection Query 2 : | hash IN ("aa534e2fc19c970adc6142cda3f0a3c4309d6e3e" or "df92d2aac76ad76edeeb5fade987e1111d2742e7")
|
Detection Query 3 : | sha256hash IN ("4a33e10c87795e93c10de3d1a59937909d0093cac937e2a09d3242e7b17a36ce","3ecf98f90cb170475eef315dad43e125b14757d7fbfdd213d5221c4e31467ee9","7a66c1a25b7caee9b6cc26a3199182379b6cdecc8196ac08be9fe03b4d193d6a")
|
Reference:
https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html