{
	"id": "22c6aea1-bc6d-4e4e-8d7d-738fee96608a",
	"created_at": "2026-04-06T00:09:53.377895Z",
	"updated_at": "2026-04-10T03:27:57.442269Z",
	"deleted_at": null,
	"sha1_hash": "92812c8b7e12cd4f065cedb95a598d3fc2825b71",
	"title": "FakeSG campaign, Akira ransomware and AMOS macOS stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 168469,
	"plain_text": "FakeSG campaign, Akira ransomware and AMOS macOS stealer\r\nBy GReAT\r\nPublished: 2023-12-13 · Archived: 2026-04-05 14:52:53 UTC\r\nIntroduction\r\nThe crimeware landscape is diverse. Cybercriminals try to capitalize on their victims in every possible way by\r\ndistributing various types of malware designed for different platforms. In recent months, we have written private\r\nreports on a wide range of topics, such as new cross-platform ransomware, macOS stealers and malware\r\ndistribution campaigns. In this article, we share excerpts from our reports on the FakeSG campaign, the Akira\r\nransomware and the AMOS stealer.\r\nTo learn more about our crimeware reporting service, you can contact us at crimewareintel@kaspersky.com.\r\nFakeSG\r\n“FakeSG” is the name we gave to a new NetSupport RAT distribution campaign. The moniker was chosen as it\r\nmimics the notorious SocGholish distribution campaign. Legitimate websites are getting infected, displaying a\r\nnotification that the user’s browser needs an update. For an example, look at the image below. Clicking the\r\nnotification downloads a malicious file to the device. Over the course of time, the attackers have changed the\r\ndownload URL to stay undetected longer. However, for some obscure reason, the path has remained the same\r\n(/cdn/wds.min.php).\r\nLanding page example\r\nhttps://securelist.com/crimeware-report-fakesg-akira-amos/111483/\r\nPage 1 of 4\n\nThe download is a JS file that contains obfuscated code. When executed, it loads another script from a remote\r\nlocation and sets a cookie. Finally, it displays a prompt to update the browser and starts automatically\r\ndownloading another script. This time, it is a batch script that downloads another batch script, a 7z file and the 7z\r\nexecutable.\r\nThe second batch script takes care of persistence by creating a scheduled task with the name “VCC_runner2”,\r\nextracts and copies the malware, and so on. Part of the 7z file is a malicious configuration file containing the\r\naddress of the C2 (see the image below).\r\nC2 address\r\nAkira\r\nAkira is a relatively new ransomware variant, first detected in this past April and written in C++, that can run in\r\nWindows and Linux environments. Despite the malware being relatively new, the attackers behind Akira are quite\r\nbusy with over 60 confirmed infected organizations worldwide. In terms of targets, they choose larger\r\norganizations in various industries, such as retail, consumer goods, education, and others.\r\nIn many ways, Akira is no different from other ransomware families: shadow copies are deleted (using a\r\ncombination of PowerShell and WMI); logical drives are encrypted, and certain file types and directories are\r\nskipped; there is a leak/communication site on TOR; and so on.\r\nWhat sets it apart is certain similarities with Conti. For example, the list of folders excluded from the encryption\r\nprocess is exactly the same. This includes the “winnt” folder, which is only present in Windows 2000. Another\r\nsimilarity is the string obfuscation function used.\r\nOne thing that sets a group apart from another is the C2 panel. In the course of our investigations and joint effort\r\nwith law enforcement agencies (LEAs) all around the world, we have come across many different types of C2\r\npanels. Akira’s communication site, however, is something different. The group used the JQuery Terminal library\r\nto develop an old-skool minimalistic site. In order to protect it, they implemented certain security measures. For\r\nexample, if you open the website while using a debugger in the browser, an exception will be raised, stopping the\r\nanalysis.\r\nAMOS\r\nStealers are growing in popularity. Certain famous stealers, such as Redline and Raccoon, have been around for\r\nyears. Others emerged more recently, as we discussed in some of our previous blog posts. In the beginning of the\r\nyear, we saw a number of new stealers appearing for macOS: XLoader, MacStealer, Atomic MacOS aka AMOS\r\nand others.\r\nhttps://securelist.com/crimeware-report-fakesg-akira-amos/111483/\r\nPage 2 of 4\n\nAMOS was first discovered in April 2023. At that time it was leased to cybercriminals via Telegram for 1000$ per\r\nmonth. The initial version, written in Go, had typical stealer features, such as stealing passwords, files, browser\r\ndata and so on. It also created fake password prompts in an attempt to obtain the system password.\r\nThe new version changed a few things, most notably, the programming language. AMOS is now written in C\r\ninstead of Go. We also were able to determine the infection vector: malvertising. Similarly to the Redline and\r\nRhadamantys campaigns, popular software sites get cloned, and users are lured into downloading the malware.\r\nThe downloaded file is a DMG image that contains instructions on how to install the malware as can be seen in\r\nthe image below.\r\nMalware installation instructions\r\nThe first thing the malware does is retrieve the user name and check if the password is blank or no password is\r\nrequired. If the password is required and the user is not logged in, the malware creates a popup using osascript,\r\nasking to enter the password. Once all is set, the following data will be collected:\r\nNotes database\r\nDocuments from the desktop and Documents\r\nBrowser-related data (cookies, login data, and so on) from browsers like Chrome and Edge\r\nCryptocurrency wallets (Binance, Exodus and others)\r\nInstant messaging data (Telegram, Discord and so on)\r\nThe data is zipped with the “miniz” library and sent to the C2 over HTTP. Part of the request is the UUID\r\nidentifying the malware buyer or campaign.\r\nIn terms of victimology, we have detected infections all around the world, with Russia and Brazil targeted the\r\nmost heavily.\r\nIf you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our\r\nprivate reports, you can contact us at crimewareintel@kaspersky.com.\r\nhttps://securelist.com/crimeware-report-fakesg-akira-amos/111483/\r\nPage 3 of 4\n\nIndicators of compromise\r\nNetSupportManagerRAT\r\nC60AC6A6E6E582AB0ECB1FDBD607705B\r\nAkira\r\n00141f86063092192baf046fd998a2d1\r\n0885b3153e61caa56117770247be0444\r\n2cda932f5a9dafb0a328d0f9788bd89c\r\nAMOS\r\n3d13fae5e5febfa2833ce89ea1446607e8282a2699aafd3c8416ed085266e06f\r\n9bf7692f8da52c3707447deb345b5645050de16acf917ae3ba325ea4e5913b37\r\nSource: https://securelist.com/crimeware-report-fakesg-akira-amos/111483/\r\nhttps://securelist.com/crimeware-report-fakesg-akira-amos/111483/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/crimeware-report-fakesg-akira-amos/111483/"
	],
	"report_names": [
		"111483"
	],
	"threat_actors": [
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434193,
	"ts_updated_at": 1775791677,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/92812c8b7e12cd4f065cedb95a598d3fc2825b71.pdf",
		"text": "https://archive.orkl.eu/92812c8b7e12cd4f065cedb95a598d3fc2825b71.txt",
		"img": "https://archive.orkl.eu/92812c8b7e12cd4f065cedb95a598d3fc2825b71.jpg"
	}
}