Ddos 
The macOS threat landscape is evolving, moving away from simple malicious binaries toward sophisticated “trojanization” of the apps we use every day. A recent investigation by Intego Antivirus Labs has exposed a clever campaign delivering the OSX/Amos stealer by hiding it inside what appears to be harmless data.
This latest tactic targets cryptocurrency users by masquerading as a legitimate version of Ledger Live, turning a trusted tool into a digital trap.
During their analysis, researchers encountered a suspicious file that lacked standard executable headers. Instead, it was an Electron ASAR (Atom Shell Archive)—a format increasingly favored by attackers.
Because Electron applications bundle their source code into these archives, hackers are now “replacing the core ASAR archive with a weaponized version that contains malicious logic”. To the untrained eye, it looks like a standard data file, but a quick inspection reveals a “16-byte header followed immediately by a JSON structure beginning with {“files”:{…}”.
Once the researchers unpacked the archive, they found the core of the compromise hidden within the application’s entry point. By inspecting the main JavaScript bundle, they discovered a glaring red flag: an explicit TLS validation bypass.
“The ‘smoking gun’ was the presence of an explicit TLS validation bypass: NODE_TLS_REJECT_UNAUTHORIZED = ‘0’”.
As the report points out, “There is no legitimate reason for a production cryptocurrency wallet application to globally disable TLS certificate validation”. This bypass acts as a “reliability layer,” ensuring that the stolen data can be sent to the attacker’s cheap or self-signed infrastructure without triggering security warnings that might alert the victim.
The malware doesn’t just work in the background; it hijacks the user interface. The attackers injected a series of HTML files—like recovery-step-1.html—to create a phishing overlay.
These screens prompt users to “verify” their 12- or 24-word Secret Recovery Phrase. Because of the TLS bypass, when a victim enters their seed phrase, it is “sent to attacker infrastructure—and it succeeds silently because the TLS bypass prevents certificate failures from blocking the request”.
This campaign is a symptom of a much larger trend: a “maturing macOS Malware-as-a-Service ecosystem”. Attackers are no longer just sending suspicious links; they are weaponizing the very frameworks (like Electron) that modern desktop apps are built on.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
