AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

A Clickfix malvertising campaign uses typo‑squatted Spectrum-themed sites and fake Homebrew/GitHub assets to trick users into running a macOS install.sh that prompts for and validates system passwords, saves stolen credentials, removes quarantine attributes, and downloads an AMOS family stealer payload for persistence and execution; the report includes domains, URLs, MD5 hashes, and notes Russian-language comments in the delivery pages indicating likely Russian-speaking actors, with recommended mitigations for user training, macOS hardening, and threat hunting.