{
	"id": "2e384800-edea-4c4b-84fd-e38597537681",
	"created_at": "2026-04-06T00:12:29.976758Z",
	"updated_at": "2026-04-10T03:20:26.472689Z",
	"deleted_at": null,
	"sha1_hash": "83f52ff755b0d89aec43c6a67e9cd87ff9810f05",
	"title": "Silent Echoes: The Hidden Dialogue among Malware Entities — Spotlight on AMOS InfoStealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2685228,
	"plain_text": "Silent Echoes: The Hidden Dialogue among Malware Entities —\r\nSpotlight on AMOS InfoStealer\r\nBy Taisiia G.\r\nPublished: 2023-05-14 · Archived: 2026-04-05 16:34:36 UTC\r\nOn April 26th, Cyble, a threat intelligence provider, released an article discussing a new infostealer called AMOS,\r\nwhich targets Mac devices. Intrigued by their findings, I conducted a personal investigation and gathered more\r\ninformation about AMOS infostealer. Initially, I planned to conduct a technical analysis of the stealer and its\r\ninfrastructure. However, delving deeper into AMOS, I decided to shift the main focus and present the analysis of\r\nthe threat actors behind the stealer instead. As you go with me on this journey, I hope you don’t get lost in my\r\nthought process. Let’s go.\r\nGet Taisiia G.’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nI started my investigation by locating the Telegram channel where the stealer was advertised. The first Telegram\r\nchannel was created on April 9th and has 366 subscribers. However, on April 29th, the admin of the channel\r\ndeclared that they were leaving the project, transferring ownership to the user @ping3r and a new coder, adding\r\nthat he leaves it up to the users to decide how to view it — as a selling point or circumstance. Later the same day,\r\nthe second channel related to AMOS was created, which currently has 1155 subscribers and where the contact\r\nperson is referenced as @ez360x ( I presume this is a new coder). Additionally, a support group was created,\r\nwhich currently has only 15 members. Interestingly, when I saw the new channel, what struck me first was the\r\nchannel’s avatar (see Figure 1). I couldn’t get over the feeling that I had seen this avatar somewhere before. I did\r\nsome searching, and voila — I found it.\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 1 of 11\n\nFigure 1. The avatar of second Telegram channel of Atomic macOS Stealer\r\nMaybe XORacle?\r\nThe profile image is similar to the avatar of the malware development team — XORacle, which offers malware\r\ndevelopment services on one of the most popular Russian-speaking forums (see Figure 2). XORacle mentions in\r\ntheir advertisement that they have expertise in developing various types of malware, including RATs, Stealers,\r\nClippers, and Loaders, using Rust and Go programming languages (AMOS was written in Go). They also offer\r\nmalware development services for macOS. Coincidence or not, at this point I can only speculate about the\r\npotential relation of XORacle to AMOS.\r\nPress enter or click to view image in full size\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 2 of 11\n\nFigure 2. XORacle advertisement on one of the Russian speaking forums\r\nPossible connection to WhiteSnake stealer\r\nGoing back to Telegram, I browsed through the AMOS support group and noticed that out of fifteen members, one\r\nof them was named @WhiteSnake (see Figure 3). WhiteSnake is a stealer that emerged on the market in February\r\n2023, targeting Windows and Linux operating system users. The user @WhiteSnake was an admin of the\r\nTelegram channel advertising WhiteSnake stealer.\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 3 of 11\n\nFigure 3. Screenshot shows WhiteSnake among the group members of AMOS support group\r\nFurther, WhiteSnake is present on the Russian-speaking forum. While browsing through it, I noticed that\r\nWhiteSnake asked a user to message them privately in response to their question about the development of a\r\nmacOS stealer (see Figure 4). Furthermore, on March 17th, our user posted an interesting statement, citing —\r\n“Here lives Uzbek”( see Figure 5), which suggests that the user may be originally from Uzbekistan (remember this\r\ndetail!).\r\nFigure 4. The response of WhiteSnake to the request about macOS stealer\r\nPress enter or click to view image in full size\r\nFigure 5. WhiteSnake’s profile on Russian-speaking web forum.\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 4 of 11\n\nAs I continued investigating, the next step was to check whether the stealer was advertised elsewhere on\r\nTelegram. Lucky me — it was. Although in my earlier examination ( two weeks ago), I identified at least seven\r\ninstances of AMOS advertisements on the various channels, I noticed that earlier advertisements were removed\r\nfrom most channels except for one. Accident or not, it was still there. It was necessary since the earlier\r\nadvertisements contained a critical element — mentioning of another person associated with a channel — a user\r\nremoved later from all the posts on the channel — @line_liner (see Figure 6). Could @line_liner be the primary\r\ncoder of AMOS? Well, yes.\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 5 of 11\n\nFigure 6. An example of an AMOS advertisement on another channel that mentions the user\r\n@line_liner.\r\nSo, right now we have three profiles of interest:@ping3r, @line_liner and @ez360x. Let’s look into each and\r\nevery one of them individually to see what we can find.\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 6 of 11\n\nUser 1: ping3r (Role — AMOS owner)\r\nThe first user of interest is @ping3r, who is the present owner of the AMOS stealer. After conducting some\r\nresearch, I found out that @ping3r is the owner of the private forum COOKIE.PRO, which has been active since\r\n2018. To join the forum, interested parties must pay a fee ranging from $150 for users to $250 for sellers. The\r\nwebsite also has a Telegram group with 3,633 members, where @ping3r is referred to as the admin(see Figure 8).\r\nAdditionally, @ping3r serves as an escrow on the forum COOKIE.PRO. The forum advertises several familiar\r\ninfostealers, including WhiteSnake and Titan.\r\nPress enter or click to view image in full size\r\nFigure 7. Atomic macOS advertisement on the COOKIE.PRO website\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 7 of 11\n\nFigure 8. Screenshot of COOCKIE.PRO Telegram group.\r\nUser 2: line_liner (Role — AMOS developer)\r\nThe next person of interest is @line_liner, who I believe was an admin of the first channel and a coder behind\r\nAMOS, and the mentioning of who was erased after the ownership of the stealer was transferred to another\r\nperson. When I checked the Telegram of @line_liner, I noticed an interesting detail in their profile picture: a\r\ntraditional Uzbek hat called Tubeteika (see Figure 9). This makes me think there might be a connection between\r\n@line_liner and the WhiteSnake developer. What if they are the same person? Intriguing, right?\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 8 of 11\n\nFigure 9. A profile picture on the Telegram of @line_liner\r\nUser 3: ez360x (Role — new coder)\r\nLastly, @ez360x, new coder. Unfortunately, I found nothing about this user, but he seems to be a “no less popular\r\ncoder”. Could it be previously mentioned XORacle? At this point, I can only guess.\r\nWas it Titan after all?\r\nAs I delved deeper into the investigation for this article, I uncovered some additional interesting information\r\nwhich contradicts or supports my previous statements. On May 11th, a Telegram channel called Abbadon posted\r\nthat on March 18th, the developer of Titan Stealer ceased working on it and sold it to Aurora (another info-stealer). Additionally, it was mentioned that Aurora, who now owns Titan Stealer, focused entirely on operating\r\nTitan, ceasing all Aurora operations as of May 1st. Furthermore, according to the information in the channel — the\r\noriginal developer of Titan started working on developing Atomic macOS Stealer (AMOS), which was later sold\r\nto a user named @ping3r (see Figure 11). Abbadon shared a screenshot of forwarded messages from @ping3r\r\nindicating the purchase of AMOS from Titan (see Figure 10).\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 9 of 11\n\nFigure 10. The screenshot of messages forwarded from Ping3r — mentioning Titan as the main\r\ndeveloper.\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 10 of 11\n\nFigure 11. The screenshot of the Abbadin post mentions the potential link between different stealers.\r\nConclusion\r\nAlthough Abaddon’s post, in a way, disproves my initial belief that WhiteSnake is the one who developed AMOS,\r\nthere is no solid evidence to state that they are not. What if WhiteSnake and Titan are the same people, after all? I\r\ndon’t know it, but working on this investigation and having the AMOS as a case study shows the tight\r\ninterconnectedness between the users behind the development of malicious software. There is a high chance that\r\nthe same person or team (like XORacle) might be behind several malicious software that we know under different\r\nnames. I won’t be surprised if they operate under the name of a legitimate software company with an office,\r\nregular working hours and a coffee machine standing in the corner. I hope you enjoyed being on this journey with\r\nme. See you!\r\nSource: https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3\r\n219\r\nhttps://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219"
	],
	"report_names": [
		"silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219"
	],
	"threat_actors": [],
	"ts_created_at": 1775434349,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83f52ff755b0d89aec43c6a67e9cd87ff9810f05.pdf",
		"text": "https://archive.orkl.eu/83f52ff755b0d89aec43c6a67e9cd87ff9810f05.txt",
		"img": "https://archive.orkl.eu/83f52ff755b0d89aec43c6a67e9cd87ff9810f05.jpg"
	}
}