The backdoor communicates with command-and-control servers at IP addresses 45.94.47.145 and 45.94.47.147, sending periodic HTTP POST requests every 60 seconds to receive commands. It installs a LaunchDaemon labeled “com.finder.helper” to ensure it survives system reboots, and hides operational components under filenames like “.helper” and “.agent.” Unlike typical smash-and-grab theft operations by groups like Lazarus, AMOS focuses on maintaining long-term covert access, potentially allowing attackers to surveil, manipulate, or exfiltrate sensitive data over extended periods.

Security experts have noted a spike in unique AMOS binary samples since early 2024, reflecting active development and wider deployment of this malware through the malware-as-a-service (MaaS) model. As the threat evolves, Mac users are urged to adopt layered defense strategies, including anti-malware tools, cautious interaction with unsolicited offers or job interviews, and limiting personal data exposure online. Cybersecurity researchers, are closely monitoring AMOS's evolution and continue to share intelligence to help organizations defend against this increasingly dangerous macOS threat.

Impact

• Sensitive Data Theft
• Crypto Theft
• Gain Access
• Financial Loss

Indicators of Compromise

IP

• 45.94.47.158

• 45.94.47.157

• 45.94.47.146

• 45.94.47.147

• 45.94.47.145

MD5

• 53c2e47e41fccd101da2459892f9c33b

• 58415d7b6686b0bdf7b0e811511f4e81

• 59d5cd7e4a50f4dadf226e2973d04a72

• a79d09c2450b4b18ad0868911937eac2

SHA-256

• ec11fd865c2f502c47f100131f699a5e0589092e722a0820e96bd698364eefdb

• 11e55fa23f0303ae949f1f1d7766b79faf0eb77bccb6f976f519a29fe51ce838

• 8d8b40e87d3011de5b33103df2ed4ec81458b2a2f8807fbb7ffdbc351c7c7b5e

• 3402883ff6efadf0cc8b7434a0530fb769de5549b0e9510dfdd23bc0689670d6

SHA1

• d6c01cddc711fd17cc7687ba4b214769cf9b7d6b

• e8b5f25fc185e594847d7e0963089fb5643392ce

• 1310b7525b5887ae708c720264ca758ab2d07a64

• 29416b38e7cd6a6aae40b629cfc3e25f4dca6e25

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Isolate and determine if forensic analysis needs to be performed. If it does, a forensic image (preservation copy) should be created for analysis to determine the scope of potential data at risk and the extent of threat actor activity. If not, proceed with internal/existing IT processes to restore to "gold image" (baseline).
• Conduct a forensic analysis of the "at risk" data as identified within this article under Critical Takeaways section under "The extension accessed the following browser data:", which details specifically what data elements may be at risk and should be considered for inventorying, resetting, and for a potential follow-on investigation into unauthorized or unexpected activity.
• Reset credentials associated with affected user accounts, especially those with administrative access.
• Block-identified IOCs (domains, IPs, hashes) across endpoints, networks, and other security appliances.
• Reimage the infected system to ensure full eradication.
• Educate users on recognizing suspicious activity and phishing attempts to reduce the risk of reinfection.