Insikt Group has uncovered a widespread malicious campaign targeting cryptocurrency users through a fake virtual meeting software called Vortax. Marketed as an advanced, cross-platform enterprise solution with AI features like “MeetingGPT,” Vortax is promoted on social media and maintains a Medium blog with seemingly legitimate content. However, once installed, Vortax deploys three infostealers—Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS)—in a coordinated attack aimed at cryptocurrency theft.
AMOS, in particular, is notable for its rarity as a macOS infostealer, which is less common than those targeting Windows systems. This campaign highlights a growing trend in macOS malware, with Insikt Group identifying 23 additional malicious macOS applications posing as legitimate software, mainly targeting virtual meetings and cryptocurrency users.
The research also links the Vortax campaign to a previous infostealer operation targeting web3 gaming projects, suggesting that the same threat actor is behind both campaigns. The infostealer AMOS is suspected to be used by a dark web actor identified as “markopolo,” potentially acting as an initial access broker or credential vendor.
To mitigate the risks associated with this campaign, Insikt Group recommends regular updates to detection systems for AMOS, user education on the dangers of downloading unapproved software, and implementing strict security controls. Users should also be encouraged to report suspicious activities encountered on social media and other platforms to help prevent further infections.
Reference:
