Malware

AMOS

Also known as: Atomic macOS Stealer

IoCs CSV 1 YARA rule

Indicators of Compromise 15

MITRE ATT&CK TTPs 5

YARA Detection Rules

AMOS_YARA_Detection
yara ai_generated
rule AMOS_Detection {
    meta:
        description = "Detects AMOS malware distributed via OpenClaw's ClawHub platform, associated with AI supply chain attacks, infostealer delivery, and C2 communication"
        author = "AI Generated"

    strings:
        $s1 = "download.setup-service.com" ascii wide
        $s2 = "install.app-distribution.net" ascii wide
        $s3 = "openclawcli.vercel.app" ascii wide
        $s4 = "glot.io" ascii wide
        $s5 = "laosji.net" ascii wide
        $s6 = "rentry.co" ascii wide
        $s7 = "Ddoy233/openclawcli" ascii wide
        $s8 = "setup-service" ascii wide
        $s9 = "app-distribution" ascii wide
        $s10 = "C2 beacon initialized" ascii wide
        $s11 = "fetch_config" ascii wide
        $s12 = "execute_payload" ascii wide
        $s13 = "bypass_antivirus" ascii wide
        $s14 = "inject_affiliate" ascii wide
        $s15 = "front_running_enabled" ascii wide
        $s16 = "paste-site redirect" ascii wide
        $s17 = "dynamic_payload_url" ascii wide
        $s18 = "clawhub_marketplace_token" ascii wide
        $s19 = "VT_scan_bypass" ascii wide
        $h1 = { 81 8a ea 61 43 28 2b 35 2f df dc 0f 3e bf 77 a3 6e 54 eb 3b ef b5 ca d1 a3 55 a9 9a b9 7c 6a a7 }
        $h2 = { 88 1c e5 cb 12 4c 4d 2e 81 47 83 72 4c c1 38 8f 6a 1c bf 6e ee 27 4c 3f 33 66 e7 7b a3 50 3a d7 }
        $h3 = { b3 0e ae d1 f7 47 8c 28 f4 ec 50 d0 7e d5 ef 01 4f fb c4 b2 bc 5a 38 d6 89 ba 9f 7a bb 5e 19 c2 }
        $h4 = { b6 c7 e0 bf 57 3b 1c 7d 9d 3a 05 eb 08 d2 65 79 19 95 15 b8 47 df 98 48 62 80 5f 44 a7 af 80 07 }
        $h5 = { eb b7 3d bb 5a ac 1f 6f e1 a8 8e 8f 26 12 6a 1e 1a a3 4c 9f 33 45 ad 43 45 18 9b 40 d9 bf 1d 1d }
        $h6 = { f4 e4 1a a2 69 c8 8b f1 1a 20 22 70 1a 9c f4 1e 9a 18 6a a1 b2 24 d8 37 c3 1b f3 4e 0b 87 5d 0e }

    condition:
        uint16(0) == 0x5A4D and 
        (any of $s1..$s19 or any of $h1..$h6) and
        (ipaddr(2.26.75.16) or ipaddr(91.92.242.30))

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles