Current OTX pulse data reveals a convergence of sophisticated initial access vectors aimed exclusively at harvesting credentials and session tokens. Threat actors are operationalizing "living-off-the-land" (LotL) techniques via the ClickFix campaign, exploiting trusted development pipelines in a PyPI supply chain attack, and abusing AI agent workflows (Cursor) to deliver AMOS Stealer. The common objective across these disjointed campaigns is the exfiltration of financial, crypto, and cloud development credentials.
Threat Summary
Over the last 5 days, AlienVault OTX has detected five distinct clusters of activity shifting focus from traditional phishing to technical exploitation of user trust and developer tools.
- ClickFix Clusters: Impersonating brands like Intuit and Booking.com, these campaigns trick users into running fraudulent "fix" commands via PowerShell or CMD, leading to Lumma Stealer, Vidar, and RedLine infections.
- Supply Chain (Xinference): A compromise of the
XinferenceAI framework versions 2.6.0–2.6.2 on PyPI. The payload uses Base64 encoding within__init__.pyto steal cloud credentials immediately upon import. - AI Agent Abuse (AMOS Stealer): A novel social engineering attack targeting developers using Cursor AI. Attackers trick the AI into downloading and executing malicious AppleScript loaders, facilitating persistent credential theft on macOS.
- Infrastructure Abuse (Keitaro): Malicious actors are leveraging the Keitaro TDS (Traffic Direction System) to distribute DonutLoader, StealC, and RustyStealer via cloaked malvertising links.
Threat Actor / Malware Profile
| Malware / Actor | Distribution Vector | Payload Behavior & C2 | Persistence |
|---|---|---|---|
| ClickFix Clusters | Fake browser errors/popups prompting manual terminal commands. | Delivers Lumma, Vidar, RedLine. Uses LotL (powershell.exe) to bypass application control. C2 domains vary (e.g., ustazazharidrus.com). | Scheduled Tasks or Registry Run Keys. |
| GlassWorm | Compromised code repositories & package managers. | Targets developers. Fetches payloads via Solana blockchain to hide C2 traffic. Installs fake browser extensions for surveillance. | Browser Extension DLL hooking. |
| Xinference (PyPI) | Malicious Python Package (Xinference v2.6.0-2.6.2). | Base64 encoded code in __init__.py executes automatically. Exfiltrates cloud credentials (AWS/Azure/GCP). | N/A (Memory resident or script based). |
| AMOS Stealer | Cursor AI / Claude Code agent sessions (Social Engineering). | macOS malware. Heavily obfuscated AppleScript. Targets cryptocurrency wallets, browser cookies, and password managers. | LaunchAgents (plist files). |
IOC Analysis
- Domains: A mix of C2 infrastructure (e.g.,
mpasvw.comfor AMOS) and phishing/landing pages (e.g.,cibcsecurity2fa.comfrom Keitaro abuse). The ClickFix domains exhibit high entropy often associated with auto-generated DGA. - File Hashes: The PyPI attack provides specific MD5 and SHA256 hashes for the compromised wheel files (
3ee893ae46530b92e0d26435fb979d82, etc.). AMOS stealer indicators include MD5s for the AppleScript loaders. - IPs: Hardcoded C2 IPs such as
45.94.47.204(AMOS) indicate active hosting infrastructure, likely VPSs that should be blocked immediately.
Detection Engineering
Sigma Rules
YAML
title: Potential ClickFix Social Engineering Activity
description: Detects suspicious command line execution often triggered by ClickFix campaigns (copy-paste commands into terminal).
status: experimental
author: Security Arsenal
date: 2026/04/29
references:
- https://otx.alienvault.com/pulse/660000000000000
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
CommandLine|contains:
- 'copy'
- 'ping'
- 'curl'
- 'wc.exe'
condition: selection
falsepositives:
- Legitimate admin tasks initiated from browser downloads
level: high
tags:
- attack.initial_access
- attack.t1566.001
---
title: Suspicious Python Process Spawning Shell
id: 7f8b9e2a-1c3d-4e5f-9a6b-7c8d9e0f1a2b
description: Detects Python (common in supply chain attacks like Xinference) spawning cmd or powershell to execute code.
status: experimental
author: Security Arsenal
date: 2026/04/29
logsource:
category: process_creation
product: windows
detection:
selection_parent:
Image|endswith: '\python.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate python development tools
level: medium
tags:
- attack.execution
- attack.t1059.001
---
title: AMOS Stealer AppleScript Execution (macOS)
description: Detects execution of osascript with network connections or encoded content, associated with AMOS Stealer via Cursor AI.
status: experimental
author: Security Arsenal
date: 2026/04/29
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/usr/bin/osascript'
CommandLine|contains:
- '-e'
- 'do shell script'
condition: selection
falsepositives:
- Administrative automation scripts
level: high
tags:
- attack.execution
- attack.t1059.002
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and Stealer Domains
let IOCs = dynamic(["ustazazharidrus.com", "account-help.info", "mpasvw.com", "arkypc.com", "ucaboodle.com", "cibcsecurity2fa.com"]);
DeviceNetworkEvents
| where RemoteUrl in IOCs or RemoteDomain in IOCs
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ActionType
| order by Timestamp desc
kql
// Hunt for Malicious PyPI File Hashes (Xinference)
let FileHashes = dynamic(["3ee893ae46530b92e0d26435fb979d82", "484067fd6232f7cdd7b664b33857fc2c", "077d49fa708f498969d7cdffe701eb64675baaa4968ded9bd97a4936dd56c21c"]);
DeviceFileEvents
| where SHA256 in FileHashes or MD5 in FileHashes
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
PowerShell Hunt Script
PowerShell
<#
Security Arsenal - IOC Hunt Script
Scans C: drive for specific file hashes associated with Xinference and AMOS loaders.
#>
$TargetHashes = @(
"3ee893ae46530b92e0d26435fb979d82",
"484067fd6232f7cdd7b664b33857fc2c",
"971670c10eff28339a085ca50a600e35",
"9b3257e45b27a6bbe4e240e41a3a306f",
"c6ce4e25f7fe3e3bb1eea2e9052483bf",
"e291734d46c313a23d676681499f8846",
"312147c0ae0d555a4d50fa627ff7d4f3",
"c54620dd3745fdeaff5ccc0db4132f11"
)
Write-Host "[+] Starting scan for known malicious file hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {
!$_.PSIsContainer -and $_.Length -gt 0
} | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($hash -in $TargetHashes) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
Write-Host " - MD5: $hash" -ForegroundColor Red
}
}
Write-Host "[+] Scan complete." -ForegroundColor Green
# Response Priorities
* **Immediate:**
* Block all listed domains and IPs (45.94.47.204, 92.246.136.14) at the perimeter and proxy.
* Quarantine any systems matching the malicious file hashes (PyPI/AMOS).
* **24 Hours:**
* Identify developers who may have installed `Xinference` versions 2.6.0–2.6.2 and rotate cloud API keys stored in their environment.
* Investigate macOS endpoints running Cursor AI for signs of osascript execution.
* **1 Week:**
* Implement strict allow-listing for AI coding assistants (Cursor) and review their network access permissions.
* Enforce PyPI/package manager verification (checking signatures/hashes) in CI/CD pipelines.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealerclickfixsupply-chainai-exploitationamos-stealer
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.