AMOS 'malext' macOS Infostealer Distributed via Fake Text-Sharing Ads

A sophisticated malvertising campaign is actively distributing the AMOS 'malext' variant, a macOS infostealer, by mimicking legitimate text-sharing platforms. Cybersecurity researchers at Netskope Threat Labs have uncovered this operation, which leverages sponsored search engine ads to redirect users to fraudulent domains hosting malicious DMG files. This campaign highlights the increasing focus of threat actors on Apple platforms, targeting cryptocurrency users, remote workers, and creative professionals.

The malvertising operation begins when users query terms related to text-sharing or clipboard tools. Sponsored search ads appear, leading to lookalike domains such as pastedownload[.]com, pastepal[.]app, pastehub[.]online, and textshare[.]pro. These sites host DMG files disguised as legitimate applications, such as "PasteDownload.dmg" or "PastePal.app.dmg." Upon mounting the DMG, users are presented with a professional-looking installer that prompts them to drag the app to the Applications folder. However, the package contains the AMOS 'malext' infostealer, which activates upon launch.

The 'malext' variant represents an evolution of the Atomic macOS Stealer (AMOS) family, which was first observed in 2023. This malware is designed with extensive capabilities for credential and file theft, as well as system reconnaissance. It extracts passwords from the macOS Keychain using the Chainbreaker tool and steals browser credentials and cookies from Chrome, Firefox, Safari, and Edge. Furthermore, it specifically targets cryptocurrency wallets, including MetaMask, Phantom, and Exodus.

In addition to credential theft, the malware grabs documents from the Desktop, Downloads, and Documents folders, exfiltrating sensitive files such as.txt,.pdf,.docx, and.wallet files. It also collects system information, including the machine GUID, hardware UUID, IP address, and location, while enumerating installed applications and browser extensions. The stolen data is archived into ZIP files and uploaded to attacker-controlled Command and Control (C2) servers via HTTPS.

The malware employs several evasion techniques to avoid detection. Payloads are XOR-encoded and embedded in AppleScript for code obfuscation. It bypasses Gatekeeper by using notarized binaries and the LegitimateAuthority entitlement. The malware also checks for virtual machines and sandbox environments to evade analysis, and it installs a LaunchAgent to ensure persistence across reboots.

The infection chain begins with a malvertising redirect from a search engine to a fake ad, leading to a malicious domain. The user then downloads a legitimate-looking DMG file. Social engineering tactics are used, with a fake installer prompting the user to "Drag to Applications." Privilege escalation occurs when an AppleScript requests the system password via a fake dialog. Once executed, the Chainbreaker tool unlocks the Keychain, and data collection begins. Finally, the stolen data is sent to C2 servers, such as malext[.]shop.

Netskope researchers assess that this campaign has been active since late February 2026, with over 5,000 infections detected across North America and Europe. The AMOS malware-as-a-service (MaaS) ecosystem continues to evolve, with 'malext' representing the latest subscription tier, priced at $500 per month.

How can users protect themselves from this campaign?
Users should verify app sources before installing, enable Gatekeeper and XProtect, use antivirus software with real-time protection, and avoid running unknown Terminal commands.

What should organizations do to mitigate this threat?
Organizations should deploy EDR solutions with macOS support, block malicious domains via DNS filtering, monitor for suspicious LaunchAgents, and implement application allowlisting.

How can browser protection be enhanced?
Installing ad blockers like uBlock Origin, enabling Safe Browsing in Chrome or Safari, and using search engine safe search features can help enhance browser protection.

The distribution of the AMOS 'malext' infostealer via fake text-sharing ads underscores a significant shift in the threat landscape, with macOS increasingly becoming a primary target. The professional packaging of the malware and its ability to bypass traditional security measures like Gatekeeper highlight the necessity for behavioral detection over signature-based approaches. As the AMOS MaaS ecosystem evolves, with the 'malext' variant priced at $500 per month, we can expect to see more sophisticated and targeted attacks against macOS users, particularly those handling sensitive data or cryptocurrency.