Back to Intelligence

Multi-Vector Infostealer Surge: ClickFix, PyPI Poisoning, and AI-Delivered AMOS

SA
Security Arsenal Team
April 28, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a dangerous convergence of attack vectors aimed at harvesting credentials and sensitive data. Threat actors are aggressively deploying "ClickFix" social engineering tactics to trick users into executing malware via legitimate system tools, while simultaneously poisoning the software supply chain via compromised PyPI packages (Xinference). Furthermore, a novel campaign has emerged targeting developers by delivering the AMOS Stealer through AI agent sessions (Cursor). These campaigns collectively leverage infrastructure like Keitaro for traffic distribution and cloaking to evade detection, aiming to steal financial data, cloud credentials, and cryptocurrency wallets.

Threat Actor / Malware Profile

ClickFix Campaigns (Lumma, Vidar, Redline, Odyssey)

  • Distribution: Social engineering lures impersonating Intuit QuickBooks and Booking.com.
  • Behavior: Manipulates victims into running malicious commands in native tools (e.g., PowerShell, CMD).
  • Objective: Initial access leading to credential theft and banking fraud.

AMOS Stealer (AI Vector)

  • Distribution: Delivered via Cursor AI agent sessions (Claude Code) using social engineering prompts.
  • Payload: Heavily obfuscated AppleScript loaders.
  • Persistence: Establishes persistent implant; steals cryptocurrency and browser data.

Xinference / PyPI Supply Chain

  • Distribution: Malicious versions (2.6.0-2.6.2) of the Xinference AI framework.
  • Mechanism: Base64 encoded payloads in __init__.py execute on import/install.
  • Objective: Exfiltration of cloud environment credentials.

Keitaro TDS Abuse

  • Role: Traffic Distribution System (TDS) used for cloaking and redirecting victims to malware payloads (DonutLoader, RustyStealer, StealC).

IOC Analysis

The provided intelligence contains a mix of network and file-based indicators:

  • Domains: High volume of suspicious domains (e.g., ustazazharidrus.com, arkypc.com) associated with ClickFix and AMOS infrastructure. These should be blocked immediately at the perimeter.
  • IP Addresses: Specific C2 IPs (e.g., 45.94.47.204) linked to the AMOS stealer.
  • File Hashes: Multiple MD5 and SHA256 hashes corresponding to the malicious PyPI packages and AMOS loaders.
  • Operationalization: SOC teams should ingest these hashes into EDR solutions for quarantine and domains into DNS Firewall/SIG policies. The domains associated with Keitaro abuse indicate broad traffic distribution, necessitating wider net monitoring.

Detection Engineering

YAML
title: Potential ClickFix Social Engineering Activity
id: 8a3b2c1d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects suspicious command execution often associated with ClickFix campaigns where a browser or common office app spawns a shell to copy/paste or execute code.
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662a3e9b9f3e4b3c8d7e0f1a
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\edge.exe'
            - '\msedge.exe'
            - '\winword.exe'
            - '\excel.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\cscript.exe'
        CommandLine|contains:
            - 'clipboard'
            - 'copy'
            - 'iex'
            - 'Invoke-Expression'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1059.001
---
title: Suspicious Python Package Import with Base64 Payloads
id: 1b4c3d2e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects Python processes loading Base64 encoded strings or suspicious encoding functions indicative of supply chain malware like Xinference.
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662a3e9b9f3e4b3c8d7e0f1c
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\python.exe'
    selection_cli:
        CommandLine|contains:
            - 'base64'
            - 'b64decode'
            - '__init__.py'
            - '-c '
    condition: all of selection_*
falsepositives:
    - Legitimate developers using encoded config
level: medium
tags:
    - attack.initial_access
    - attack.t1195.002
---
title: MacOS AMOS Stealer via AI Agent Execution
id: 2c5d4e3f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects execution of AppleScript (osascript) spawned by development tools like Cursor or VSCode, a pattern associated with AMOS stealer delivery.
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662a3e9b9f3e4b3c8d7e0f1d
logsource:
    category: process_creation
    product: macos
detection:
    selection_parent:
        ParentImage|endswith:
            - '/Cursor'
            - '/Visual Studio Code'
            - '/Code Helper'
    selection_child:
        Image|endswith: '/osascript'
    condition: all of selection_*
falsepositives:
    - Legitimate developer automation scripts
level: high
tags:
    - attack.execution
    - attack.t1059.002


kql
// Hunt for ClickFix and AMOS related network activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("ustazazharidrus.com", "account-help.info", "quiptly.com", "mpasvw.com", "arkypc.com") 
   or RemoteIP in ("45.94.47.204", "92.246.136.14")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCFamily = iif(RemoteUrl has "mpasvw" or RemoteIP == "45.94.47.204", "AMOS_Stealer", "ClickFix_Generic")

// Hunt for suspicious Python execution patterns related to PyPI compromise
DeviceProcessEvents 
| where Timestamp > ago(7d)
| where FileName == "python.exe" 
| where ProcessCommandLine has "base64" or ProcessCommandLine has "b64decode"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName


powershell
# PowerShell IOC Hunt Script for Xinference and AMOS Hashes
$TargetHashes = @(
    "3ee893ae46530b92e0d26435fb979d82",
    "484067fd6232f7cdd7b664b33857fc2c",
    "971670c10eff28339a085ca50a600e35",
    "9b3257e45b27a6bbe4e240e41a3a306f",
    "c6ce4e25f7fe3e3bb1eea2e9052483bf",
    "e291734d46c313a23d676681499f8846",
    "312147c0ae0d555a4d50fa627ff7d4f3",
    "c54620dd3745fdeaff5ccc0db4132f11"
)

$DrivesToScan = @("C:\", "D:\")

Write-Host "Starting scan for known malicious file hashes..."

foreach ($Drive in $DrivesToScan) {
    if (Test-Path $Drive) {
        Write-Host "Scanning $Drive..."
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { !$_.PSIsContainer } | 
        ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($Hash -in $TargetHashes) {
                Write-Host "[ALERT] Malicious file found: $($_.FullName) (MD5: $Hash)" -ForegroundColor Red
            }
        }
    }
}

# Check Hosts file for ClickFix/Keitaro related domains
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$SuspiciousDomains = @("ustazazharidrus.com", "mpasvw.com", "arkypc.com", "yellowusheart.net")

if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $SuspiciousDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[ALERT] Suspicious domain entry found in hosts file: $Domain" -ForegroundColor Red
        }
    }
}

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses at the firewall and proxy level.
    • Quarantine any systems matching the AMOS or PyPI file hashes.
    • Hunt for processes spawned by browsers that execute PowerShell or CMD (ClickFix behavior).

  • 24 Hours:

    • Identify and validate instances of the Xinference Python library; revert to versions prior to 2.6.0 or remove entirely.
    • If credential theft is suspected, force reset of passwords and tokens for cloud environments (AWS, Azure, GCP) used by development teams.

  • 1 Week:

    • Review and restrict the use of AI coding agents (e.g., Cursor) in untrusted environments; implement strict output review policies.
    • Enhance supply chain security by requiring signed packages and validating PyPI repository integrity in CI/CD pipelines.
    • Update awareness training to include "ClickFix" scenarios where users are asked to copy/paste code into terminal windows.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerclickfixsupply-chainamos-stealerai-exploitation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action