Malware
AMOS
Also known as: Atomic macOS Stealer
IoCs CSV
1 YARA rule
Indicators of Compromise 15
Domain download.setup-service.com Domain glot.io Domain install.app-distribution.net Domain laosji.net Domain openclawcli.vercel.app Domain rentry.co GitHub Repo Ddoy233/openclawcli SHA-256 818aea6143282b352fdfdc0f3ebf77a36e54eb3befb5cad1a355a99ab97c6aa7 SHA-256 881ce5cb124c4d2e814783724cc1388f6a1cbf6eee274c3f3366e77ba3503ad7 SHA-256 b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2 SHA-256 b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007 SHA-256 ebb73dbb5aac1f6fe1a88e8f26126a1e1aa34c9f3345ad4345189b40d9bf1d1d SHA-256 f4e41aa269c88bf11a2022701a9cf41e9a186aa1b224d837c31bf34e0b875d0e IP 2.26.75.16 IP 91.92.242.30
MITRE ATT&CK TTPs 5
YARA Detection Rules
AMOS_YARA_Detection
yara ai_generated
rule AMOS_Detection {
meta:
description = "Detects AMOS malware distributed via OpenClaw's ClawHub platform, associated with AI supply chain attacks, infostealer delivery, and C2 communication"
author = "AI Generated"
strings:
$s1 = "download.setup-service.com" ascii wide
$s2 = "install.app-distribution.net" ascii wide
$s3 = "openclawcli.vercel.app" ascii wide
$s4 = "glot.io" ascii wide
$s5 = "laosji.net" ascii wide
$s6 = "rentry.co" ascii wide
$s7 = "Ddoy233/openclawcli" ascii wide
$s8 = "setup-service" ascii wide
$s9 = "app-distribution" ascii wide
$s10 = "C2 beacon initialized" ascii wide
$s11 = "fetch_config" ascii wide
$s12 = "execute_payload" ascii wide
$s13 = "bypass_antivirus" ascii wide
$s14 = "inject_affiliate" ascii wide
$s15 = "front_running_enabled" ascii wide
$s16 = "paste-site redirect" ascii wide
$s17 = "dynamic_payload_url" ascii wide
$s18 = "clawhub_marketplace_token" ascii wide
$s19 = "VT_scan_bypass" ascii wide
$h1 = { 81 8a ea 61 43 28 2b 35 2f df dc 0f 3e bf 77 a3 6e 54 eb 3b ef b5 ca d1 a3 55 a9 9a b9 7c 6a a7 }
$h2 = { 88 1c e5 cb 12 4c 4d 2e 81 47 83 72 4c c1 38 8f 6a 1c bf 6e ee 27 4c 3f 33 66 e7 7b a3 50 3a d7 }
$h3 = { b3 0e ae d1 f7 47 8c 28 f4 ec 50 d0 7e d5 ef 01 4f fb c4 b2 bc 5a 38 d6 89 ba 9f 7a bb 5e 19 c2 }
$h4 = { b6 c7 e0 bf 57 3b 1c 7d 9d 3a 05 eb 08 d2 65 79 19 95 15 b8 47 df 98 48 62 80 5f 44 a7 af 80 07 }
$h5 = { eb b7 3d bb 5a ac 1f 6f e1 a8 8e 8f 26 12 6a 1e 1a a3 4c 9f 33 45 ad 43 45 18 9b 40 d9 bf 1d 1d }
$h6 = { f4 e4 1a a2 69 c8 8b f1 1a 20 22 70 1a 9c f4 1e 9a 18 6a a1 b2 24 d8 37 c3 1b f3 4e 0b 87 5d 0e }
condition:
uint16(0) == 0x5A4D and
(any of $s1..$s19 or any of $h1..$h6) and
(ipaddr(2.26.75.16) or ipaddr(91.92.242.30)) ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.