A sophisticated new campaign is actively compromising macOS developers by impersonating widely used software platforms. The attack employs deceptive websites for the popular open-source package manager Homebrew, the remote access service LogMeIn, and the financial charting platform TradingView. Threat actors are leveraging these convincing fake sites to deliver powerful information-stealing malware such as AMOS and Odyssey. Researchers from the threat hunting company Hunt.io have already identified more than 85 malicious domains being used in this scheme, driving traffic to them, sometimes even through paid Google Search ads.
The campaign relies on a deceptive technique known as “ClickFix,” which persuades users to execute installation commands in their Terminal. The fake sites feature seemingly legitimate download portals and prompt the user to copy and paste a curl command to install the application. For instance, on the fake TradingView sites, the malicious command is disguised as a necessary “connection security confirmation step.” However, clicking the ‘copy’ button places a hidden, base64-encoded installation command into the user’s clipboard instead of the displayed verification ID.
When executed, this deceptive command fetches and decodes an install.sh file. This script then downloads the final malware payload, and crucially, removes quarantine flags to bypass Apple’s security feature, Gatekeeper, allowing the malicious binary to run. The payload, which is either the AMOS or Odyssey stealer, first checks if it is running in a virtual machine or analysis environment to evade detection. It then explicitly uses the sudo command to run as the powerful root user, beginning its malicious activity by gathering detailed hardware and memory information from the host machine.
The malware is designed to operate stealthily, manipulating macOS system services—such as killing OneDrive updater daemons—and interacting with legitimate XPC services to blend its activity with normal processes. After this setup, the information-stealing components activate, systematically harvesting sensitive data. This includes credentials, cookies, and other information stored in web browsers, cryptocurrency wallet data, and other personal files, which are then compressed and exfiltrated to the attackers’ command and control (C2) servers.
The two primary malware families used in this campaign are significant threats. AMOS (Atomic macOS Stealer), a malware-as-a-service (MaaS) available for a hefty subscription, is capable of stealing a wide array of data and was recently updated to include a backdoor component for persistent remote access. The Odyssey Stealer is a newer threat derived from the Poseidon Stealer, which itself was forked from AMOS. Odyssey specifically targets credentials and cookies from Chrome, Firefox, and Safari, over a hundred different cryptocurrency wallet extensions, sensitive Keychain data, and personal files. To stay safe, it’s strongly recommended that users never paste commands into their Terminal unless they fully understand what those commands will execute.
Reference:
