{ "Event": { "analysis": "1", "date": "2026-04-24", "extends_uuid": "", "info": "[Threat Intel] AMOS Stealer delivered via Cursor AI agent session", "protected": false, "publish_timestamp": "1779545701", "published": true, "threat_level_id": "3", "timestamp": "1779545700", "uuid": "4dd615ca-6514-4a8e-a2fe-c0df31b8a566", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive via Utility - T1560.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#89bea3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"AppleScript - T1059.002\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#867a84", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Launch Daemon - T1543.004\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#cfba47", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#c84641", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1056.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Multi-hop Proxy - T1090.003\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#bb0652", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Controller Authentication - T1556.001\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#14b0bf", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Logon Script (Windows) - T1037.001\"", "relationship_type": "" }, { "colour": "#b9e5c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"NTDS - T1003.003\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#680082", "local": false, "name": "ms-caro-malware:malware-platform=\"MacOS\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"AMOS\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-course-of-action=\"Execution Prevention - M1038\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-course-of-action=\"Filter Network Traffic - M1037\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777287611", "to_ids": false, "type": "link", "uuid": "3bdf92d3-5fb7-43df-928b-7df4c94483ce", "value": "https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777287611", "to_ids": false, "type": "text", "uuid": "7c321428-77aa-443c-85b3-0c65aada0502", "value": "On April 23, 2026, Field Effect MDR identified AMOS Stealer malware delivered through a novel technique exploiting Cursor AI agent sessions running Claude Code. The attack employed social engineering to manipulate operators into prompting the AI agent to download and execute malicious AppleScript loaders. The heavily obfuscated scripts performed sandbox evasion checks, collected sensitive data including credentials, SSH keys, browser data, and cryptocurrency wallets, then exfiltrated compressed archives to remote servers within two minutes. The malware prompted users for local account credentials through fake macOS system dialogs, subsequently using elevated permissions to install persistent implants masquerading as legitimate system services. This delivery mechanism makes detection challenging as malicious commands blend with typical agentic coding behavior, representing an evolution in AMOS Stealer tactics beyond traditional SEO poisoning methods." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777287611", "to_ids": false, "type": "text", "uuid": "b7e03116-ff00-423c-9704-9c81fad0118b", "value": "Name: AMOS Stealer delivered via Cursor AI agent session\nAuthor: AlienVault\nAdversary: \nTags: [\"cryptocurrency theft\", \"social engineering\", \"amos stealer\", \"ai agent exploitation\", \"cursor\", \"applescript\", \"credential harvesting\", \"persistent implant\"]\nTgtd countries: []\nMlwr families: [\"AMOS Stealer\"]\nAttack_ids: [\"T1560.001\", \"T1036.005\", \"T1204.002\", \"T1082\", \"T1059.002\", \"T1005\", \"T1543.004\", \"T1555.003\", \"T1016\", \"T1020\", \"T1057\", \"T1056.002\", \"T1090.003\", \"T1059.004\", \"T1027\", \"T1556.001\", \"T1071.001\", \"T1105\", \"T1037.001\", \"T1003.003\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629469", "to_ids": true, "type": "ip-dst", "uuid": "2d514a96-0edd-4c6c-8a89-be13c27dc372", "value": "45.94.47.204", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629490", "to_ids": true, "type": "ip-dst", "uuid": "fcd8db5c-44d7-4db6-939e-15cce2008f15", "value": "92.246.136.14", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629512", "to_ids": true, "type": "domain", "uuid": "dbdb6ba6-30ef-46b4-97b8-c697aa6a874b", "value": "mpasvw.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629534", "to_ids": true, "type": "domain", "uuid": "6fab8259-0d9f-4f08-9b23-92e89fdc46c3", "value": "arkypc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629555", "to_ids": true, "type": "url", "uuid": "531f5966-28d5-43ac-b426-9b983c107ff2", "value": "https://arkypc.com/n8n/update", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545696", "to_ids": true, "type": "md5", "uuid": "54c1e029-b578-4b2b-8370-c73914ef4844", "value": "c54620dd3745fdeaff5ccc0db4132f11", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545698", "to_ids": true, "type": "sha1", "uuid": "4023a5a6-5fd1-481a-9476-f2c6c4bb582b", "value": "df297141e4676b40c29739033468d58163280067", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545700", "to_ids": true, "type": "sha256", "uuid": "865e745d-7c73-4862-aee0-17fd47c51e61", "value": "c11bfc200c363ef76ad40b717b5a850daf699f6fa64a26a8ecf7848711bdbd9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629576", "to_ids": true, "type": "url", "uuid": "557119b7-f02a-4b38-a0e2-cc76015d685d", "value": "https://arkypc.com/curl/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629597", "to_ids": true, "type": "url", "uuid": "ae645404-4089-4412-888c-8af2ce8f6414", "value": "https://lakhov.com/contact", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629619", "to_ids": true, "type": "url", "uuid": "408cd2aa-e110-43dd-8d6b-dde5d3593879", "value": "https://ouilov.com/zxc/kito", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629640", "to_ids": true, "type": "domain", "uuid": "f0e074ca-62e8-49d4-bfdf-a04101706152", "value": "foto.gd", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629661", "to_ids": true, "type": "domain", "uuid": "008ede5d-85cd-4d8e-841e-9d0c1014b9f5", "value": "lakhov.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629682", "to_ids": true, "type": "domain", "uuid": "3ca4d178-0371-48cf-89e4-de105dadea6d", "value": "ouilov.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545695", "uuid": "3b24203e-7733-40d4-b2c3-5f3f633d7f09", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545694", "to_ids": true, "type": "md5", "uuid": "1b2af093-ae81-4803-992d-6e3afedf046b", "value": "312147c0ae0d555a4d50fa627ff7d4f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545694", "to_ids": true, "type": "sha1", "uuid": "09eb8e40-e699-452b-9f7a-0ef5f9380a25", "value": "62360ea3b0030238b31dcae402f94c9c73474154", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545695", "to_ids": true, "type": "sha256", "uuid": "931ef52a-99a3-46dd-98f4-d96bc3da6486", "value": "8ef98fd781a6f1869657fc1acbc9b43a228a99e6fa5fe39c47cce8ab58066596", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777627353", "to_ids": true, "type": "ssdeep", "uuid": "a519e159-5f4a-4415-a572-1b7c6712ff3d", "value": "12288:9Q7lw8TMXVgb0dUPLsSte1I6etSDfSgahP8pD5PM7bzDaNghQbDg8TMXV0b0PaPk:2BsS40SjtaJ36uqnsS4SSHtqJXSuKB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777627353", "to_ids": false, "type": "size-in-bytes", "uuid": "d9474b7b-528d-4c36-aed3-4766cbda76f9", "value": "1334504" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777627353", "to_ids": true, "type": "vhash", "uuid": "32376729-0833-4378-878e-91f1698bcb30", "value": "665a69e8e48c179cee77d972307bae2b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777627353", "to_ids": true, "type": "filename", "uuid": "27a4b70c-7b5a-41e7-8b1c-d7789e3ded75", "value": "helper" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 28/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777627353", "to_ids": false, "type": "text", "uuid": "67fd949d-18c7-4c0c-988e-819428f993ff", "value": "Type Description: Mach-O\nMicrosoft: Trojan:MacOS/Multiverze!rfn\nVT Total Detection:13/63\nFirst Submission:2026-04-23T16:21:12.000000+00:00\nLast Submission:2026-04-23T16:21:12.000000+00:00" } ] } ] } }