So here we go again. The AMOS Mac malware is back in the game, and this time it’s wearing a new disguise. The sneaky psychos behind this attack have decided to impersonate Loom, the popular screen recording app with over 20 million users.
And guess what? They’re using Google Ads to pull in victims, making this operation look as legit as it gets. The plan? Get unsuspecting users to download a fake version of Loom from a phony website.
Images compare the original Loom site side by side with the malicious Loom site.
Researchers at Moonlock Lab report that this latest version is also cloning legitimate crypto wallet apps, like Ledger Live. Yup, the AMOS stealer is replacing these trusted apps with malicious clones.
Once on your Mac, it’s game over. Your crypto wallets, browser data, passwords—all up for grabs. The group behind this, possibly called “Crazy Evil,” seems well-organized and linked to Russian cybercriminal networks.
People would click on these ads, thinking they’re getting the real deal, and instead, they’d be redirected to some sketchy site called smokecoffeeshop[.]com.
From there, things got weirder. Victims would end up on a website that looks exactly like Loom’s, but it’s a trap. A click on the download button, and boom—your Mac is now infected with the new AMOS stealer.
This is a polished product on the black market. Renting it out could cost up to $3,000 a month. And why so expensive? Because this thing does it all. It steals files, nabs browser history, grabs credentials, empties your crypto wallets—the whole nine yards.
This is top-shelf malware, folks.
They’ve cloned other apps too—Figma, TunnelBlick (a VPN), Callzy, and even a bizarre case called BlackDesertPersonalContractforYouTubepartners[.]dmg.
Moonlock found some clues linking Crazy Evil to this campaign on the dark web. They stumbled upon a recruitment ad looking for people to join a team using—you guessed it—the AMOS stealer.
This ad even bragged about its ability to replace “Ledger” on macOS, confirming that the same AMOS version found in the wild was being pushed by these guys, impersonating Loom.
Further digging revealed an IP address tied to this mess—85[.]28[.]0[.]47. When Moonlock ran this IP through VirusTotal, a site that checks for malware, it flagged 93 files as malicious.
And get this—those files had connections to a Russian government entity. Coincidence? Maybe, but probably not. The IP’s Internet Service Provider (ISP) was listed as Gorodskaya elektronnaya svyaz Ltd, aka Gesnet[.]ru, a Russian company.
Gesnet seems to run a big network, but good luck finding any detailed info about them. The Russian ISP market is murky, to say the least, with strict laws that make transparency nearly impossible for outsiders.
For now, the best defense is a good offense. Stay vigilant, don’t click on shady ads, and for the love of crypto, keep an eye on your apps.