BLUF

 A financially motivated campaign targeting security researchers and developers by delivering a fake "Ghidra" download containing a macOS stealer/RAT ("MacSync Stealer"). It employs sophisticated cloaking to target macOS users while redirecting Windows users, aiming to harvest browser credentials, wallets, and SSH/cloud keys.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by credential-stealing macOS malware targeting developer and security tooling ecosystems:

·       Low-end total cost: $900,000 – $1.6M

o   (Limited endpoint spread, no secondary cloud or customer impact)

·       Typical expected range: $1.6M – $3.5M

o   (Multiple developers affected, broad credential resets, short-term disruption)

·       Upper-bound realistic scenarios: $3.5M – $6.5M

o   (Cloud access abuse, customer notification, prolonged operational recovery)

Key Cost Drivers

·       Number of developer and privileged macOS endpoints compromised

·       Scope of stolen credentials tied to cloud, CI/CD, or production access

·       Duration of undetected access before containment

·       Regulatory or customer notification obligations triggered

·       Insurance coverage exclusions related to credential theft

Targeted Sectors

·       Technology

·       Cybersecurity

·       Software Development.

Countries Targeted

·       Global

Date of First Reported Activity

·       January 29, 2026

Date of Last Reported Activity Update

·       January 30, 2026

APT Groups

·       This has not been affiliated with APT groups at this time

Criminal Organization Names

·       AMOS-derived (Atomic macOS Stealer lineage).

IOCs

As a reminder, detection should focus on the heuristic behavior of the attacks. Indicators such as hashes, domains, and similar artifacts can be useful for identifying historical activity; however, attackers are highly dynamic. These indicators often vary by target and attack, and can even change within the same attack.

Network Indicators

·       Phishing/Landing Domains:

·       Used fake Ghidra distribution sites (e.g., mimicking official Ghidra source pages).

·       Relies on a Traffic Distribution System (TDS) to selectively deliver payloads to macOS visitors while cloaking for Windows users (redirecting them to legitimate GitHub pages).

IP Addresses

·       93.152.230.79

o   Associated with broader AMOS infrastructure

·       195.82.147.38

o   Associated with broader AMOS infrastructure

Exfiltration Endpoint

Data is exfiltrated to the actor's gate endpoint via the path /dynamic (for fetching commands) and /tmp/osalogging.zip (for exfiltrating stolen data).

Host-Based Indicators

File Paths

·       /tmp/osalogging.zip (Staging area for exfiltrated data).

·       com.finder.helper.plist (LaunchDaemon used for persistence).

·       .agent or .helper scripts (Malicious scripts running in infinite loops).

·       update (AppleScript file typically downloaded to the /tmp directory).

Execution & Commands

·       osascript: Extensively used to execute on-demand AppleScript returned from the C2.

·       curl | sh: Common execution pattern used in the initial drive-by/Terminal-prompt stages.

·       Base64-encoded commands: Often pasted into Terminal by victims under the guise of installation steps or "ClickFix" style CAPTCHA bypasses.

Behavioral Indicators

·       Targeted Theft

o   Actively harvests browser credentials, crypto wallets (Ledger/Ledger Live), SSH keys, AWS/Kube keys, shell history, and git configurations.

·       Persistence Loop

o   Every second, a script queries /dev/console to detect the active GUI user and relaunches the malicious helper under that user's context using sudo -u.

·       User Deception

o   Displays fake system dialogs to trick users into providing credentials.

·       Gate endpoint

o   [actor-controlled-domain].com/dynamic

Exfiltration

o   osalogging.zip.

Tools Used

·       AppleScript

·       Shell scripts

·       Traffic Distribution System (TDS).

CVEs & CVSS

·       Not applicable

o   Targets user behavior through phishing

Malware Names

·       MacSync Stealer (AMOS-lineage)

sha256

be961ec5b9f4cc501ed5d5b8974b730dabcdf7e279ed4a8c037c67b5b935d51a

Malware Family

·       AMOS (Atomic macOS Stealer) lineage

o   It shares behavioral DNA and target profiles with the AMOS and Odyssey families.

Known Decoding Key

·       This variant typically utilizes Base64 decoding (base64 -D) combined with gunzip for its second-stage payloads.

Verdict

·       Malicious

o   It is a high-capability information stealer designed to bypass macOS security controls.

Primary Objectives

·       Credential Harvesting

o   Stealing keychain passwords, system login credentials, and autofill data from Chromium and Gecko-based browsers.

·       Financial Theft

o   Targeted extraction of cryptocurrency wallet data (e.g., Electrum, Binance, Exodus) and replacement of legitimate apps like Ledger Live and Trezor Suite with malicious versions.

·       Infrastructure Access

o   Collection of sensitive developer files such as .aws and .kube configuration files.

Behavior Analysis

·       Delivery

o   Uses a digitally signed and notarized Swift-based installer to bypass Apple Gatekeeper.

·       Evasion

o   Employs binary padding (inflating the DMG to ~25.5MB with decoy PDFs) to evade automated sandbox analysis.

·       Execution

o   Launches a hidden helper executable that retrieves and executes an encoded script from a remote C2 server in-memory.

·       Persistence

o   Establishes persistence via LaunchAgents or LaunchDaemons (e.g., com.finder.helper.plist) to ensure the malware runs in an infinite loop.

TTPs

Initial Access

·       T1189 Drive-by Compromise

o   Distributed via SEO poisoning and malicious advertisements (malvertising) that redirect users to fake landing pages.

·       T1566.002 Phishing (Spearphishing Link)

o   Leverages fake GitHub repositories impersonating legitimate developer tools (e.g., PagerDuty, Ghidra) to host malicious installers.

Execution

·       T1204.002 User Execution (Malicious File)

o   Relies on users downloading and opening a disk image (DMG) containing a code-signed application.

·       T1059.002 Command and Scripting Interpreter (AppleScript)

o   Uses osascript to harvest passwords via fake system prompts and execute malicious logic.

·       T1059.004 Command and Scripting Interpreter (Unix Shell)

o   Executes multi-stage bash/zsh scripts (e.g., runner) typically downloaded to /tmp/.

Persistence

·       T1547.001 Boot or Logon Autostart Execution (Replay Task/Launch Agent)

o   Configures LaunchDaemons or LaunchAgents (e.g., com.finder.helper.plist) to ensure the malware runs automatically.

Privilege Escalation

·       T1548.003 Abuse Elevation Control Mechanism

o   Prompts users for administrative credentials using AppleScript to gain access to sensitive system files like the Keychain.

Defense Evasion

·       T1553.002 Subvert Trust Controls (Code Signing)

o   Delivers payloads via notarized Swift applications with valid developer certificates to bypass Apple Gatekeeper.

·       T1140 Deobfuscate/Decode Files or Information

o   Decodes Base64-encoded strings and decompresses payloads (gunzip) in memory to avoid static signature detection.

·       T1027.001 Binary Padding

o   Inflates the application bundle size (e.g., to 25 MB+) using decoy PDFs to bypass cloud-based automated sandbox scanners that often ignore large files.

·       T1497.001 Virtualization/Sandbox Evasion (System Checks)

o   Checks for internet connectivity and performs Gatekeeper self-validation (spctl -a -v) to ensure it is running in a live environment rather than a sandbox.

Credential Access

·       T1555.001 Steal or Forge Kerberos Tickets

o   Targets the macOS login.keychain-db file to extract stored usernames and passwords.

·       T1555.003 Credentials from Web Browsers

o   Extracts cookies, login data, and autofill information from Safari and Chromium-based browsers.

·       T1539 Steal Web Session Cookie

o   Specifically targets web session cookies to bypass Multi-Factor Authentication (MFA) on various services.

Discovery

·       T1082 System Information Discovery

o   Collects detailed system profiles, metadata, and hardware identifiers.

Collection

·       T1213 Data from Information Repositories

o   Targets cryptocurrency wallets (e.g., Ledger Live, Trezor, Exodus) by copying wallet databases and configuration files.

·       T1560.001 Archive via Utility

o   Compresses harvested data into ZIP archives (e.g., /tmp/osalogging.zip) prior to exfiltration.

Command and Control

·       T1071.001 Application Layer Protocol (Web Protocols)

o   Uses HTTP/HTTPS traffic (TLS 1.2/1.3) to communicate with command-and-control (C2) domains.

·       T1105 Remote File Copy

o   Downloads secondary stage payloads and backdoor components from the C2 server using curl.

Exfiltration

·       T1041 Exfiltration Over C2 Channel

o   Transmits archived victim data directly to the actor's endpoint via standard network channels to blend in with legitimate traffic.

Suggested searches / potential hunts

Suricata

·       Detect the multi-stage infection funnel, including the Traffic Distribution System (TDS) redirection and the final exfiltration of collected data.

·       Exfiltration Alert

o   The malware compresses stolen credentials and keys into a ZIP file named osalogging.zip and exfiltrates it via an HTTP/HTTPS POST to the actor’s gate.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE macOS/MacSync Exfiltration Attempt (osalogging.zip)"; flow:established,to_server; content:"POST"; http_method; content:"/osalogging.zip"; http_uri; classtype:trojan-activity; sid:1000001; rev:1;)

·       C2 Command Retrieval

o   Hunt for unusual AppleScript payloads returned from remote endpoints, often following a POST to a /dynamic URI.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE macOS/MacSync C2 AppleScript Retrieval"; flow:established,to_server; content:"/dynamic"; http_uri; content:"osascript"; http_client_body; classtype:command-and-control; sid:1000002; rev:1;)

SentinelOne

·       Monitor for osascript being used to trigger fake system error messages or password prompts, a hallmark of AMOS variants.

EventType = "Process Creation" AND (ProcessName = "osascript" OR ProcessName = "AppleScript") AND (CommandLine Contains "display dialog" OR CommandLine Contains "with title \"System Error\"")

·       Look for non-browser processes attempting to read browser credential stores or SSH/AWS keys, which this campaign specifically targets.

EventType = "File Read" AND (FilePath Contains "/.ssh/" OR FilePath Contains "/.aws/" OR FilePath Contains "Cookies.binarycookies") AND ProcessName NOT IN ("ssh", "git", "browser_name")

Splunk

·       AMOS often executes specific osascript commands to determine if it is running in a virtualized environment.

index=main sourcetype="osquery:results" name="process_events" cmdline="*osascript*" (cmdline="*ioreg -rd1 -c*" OR cmdline="*VirtualBox*" OR cmdline="*VMware*") | table _time, host, cmdline

·       Identify the creation of suspicious .plist files, such as com.finder.helper.plist, which are used to maintain persistence for the malicious agent.

index=main (sourcetype="macos:syslog" OR sourcetype="osquery:results") file_path="*/LaunchAgents/com.finder.helper.plist" | stats count by host, file_path, action

Delivery Method

·       Selective Drive-by download (cloaking) via SEO/malvertising.

References

Medium

·       hxxps://medium.com/@Real-macs_hit/ghidra-themed-macos-campaign-full-incident-report-a-technical-analysis-9010c33f40b5

VirusTotal

·       hxxps://www.virustotal.com/gui/file/be961ec5b9f4cc501ed5d5b8974b730dabcdf7e279ed4a8c037c67b5b935d51a/detection