Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware
Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised websites.
The operation, dubbed “MacReaper,” uses sophisticated social engineering and blockchain technology to deliver the Atomic Stealer (AMOS) malware, capable of stealing passwords, cryptocurrency wallets, and sensitive information from Apple devices.
Initially discovered on May 4, 2025, through a compromised Brazilian news site, this campaign represents one of the largest coordinated attacks against the MacOS ecosystem.
The campaign employs a deceptive technique known as “ClickFix” or “ClearFix” that displays fake Google reCAPTCHA verification interfaces exclusively to MacOS users.
When visitors click “I’m not a robot,” they’re presented with a verification dialog containing MacOS-specific instructions to open Terminal using familiar Apple keyboard shortcuts (⌘ + Space to open Spotlight, followed by ⌘ + V to paste).
The fake interface automatically copies malicious commands to the user’s clipboard, which when executed, download and run the AMOS malware.
“The attack is meticulously designed to target MacOS users, using a combination of client-side and server-side mechanisms to ensure the ClickFix interface is displayed only on MacOS devices,” notes the researcher who identified the threat.
The malware itself, available on underground forums since April 2023 as a Malware-as-a-Service offering for $1,000-$3,000 monthly, uses a signed Mach-O binary that bypasses MacOS Gatekeeper security protections.
Blockchain-Based Infrastructure
What makes this campaign particularly sophisticated is its use of “EtherHiding,” a technique where malicious commands are embedded in Binance Smart Contract blockchain transactions to evade detection and resist takedowns.
This approach provides attackers with a resilient command and control infrastructure that traditional security measures struggle to block.
The investigation began with agencia2.jornalfloripa.com.br and expanded as the researcher uncovered thousands of other sites using identical attack methodologies.
The delivery system leverages obfuscated JavaScript, multiple full-screen overlays, and blockchain-based command retrieval to ensure the attack succeeds while remaining difficult to detect or disrupt.
Once installed, AMOS targets valuable user data, including Keychain passwords, browser data, cryptocurrency wallets, system information via system_profiler, and files from Desktop and Documents folders.
The stealer specifically targets over 50 different cryptocurrency wallets and extensions, representing a significant financial threat to users.
Protect Your Mac from This Threat
According to the Report, Security experts recommend several measures to protect against this expanding threat:
- Never execute Terminal commands prompted by websites, particularly those presented through CAPTCHA or verification interfaces.
- Monitor network traffic for suspicious connections to domains like technavix.cloud or salorttactical.top associated with this campaign.
- Use endpoint detection tools capable of identifying unusual Keychain access or system_profiler execution.
- Implement content security policies to block unauthorized scripts on websites you manage.
- Keep your macOS and security software updated with the latest patches.
If you suspect your device has been compromised, experts recommend quarantining the system, scanning with macOS-specific antivirus tools, and resetting passwords for Keychain, browsers, and cryptocurrency wallets.
The discovery underscores the growing sophistication of threats targeting Apple’s ecosystem.
With approximately 2,800 compromised websites identified so far, ranging from news outlets to personal blogs, the scale indicates a well-resourced threat actor specifically targeting the growing macOS user base worldwide.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
Source link
