The malicious actors are distributing two dangerous data stealers—AMOS for macOS users and Lumma Stealer for Windows users—through seemingly helpful posts on cryptocurrency trading subreddits. The scammers employ social engineering tactics by actively engaging with the Reddit community, responding to user questions and offering “helpful” advice when victims encounter security warnings, encouraging them to bypass these critical safeguards. For Windows users, the payload is distributed via an obfuscated batch file named “Costs.tiff.bat” that executes a malicious AutoIt script. A sophisticated malware campaign is currently targeting cryptocurrency enthusiasts on Reddit, offering fake “cracked” versions of the popular trading platform TradingView. The malware checks for virtual machine environments with code like: osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if". The researchers warn users to be suspicious of offers for free premium software, especially when instructed to disable security software or when files are password-protected. These posts include download links for both Windows and macOS, directing users to a compromised website belonging to a Dubai cleaning company rather than common file-sharing platforms. Malwarebytes researchers noted that both malware variants are distributed in password-protected zip files, a common tactic used to evade security scanners. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Victims of these attacks have reported emptied cryptocurrency wallets, followed by account takeovers where attackers impersonate them to spread phishing links to their contacts, creating a chain of compromises. The researchers discovered that the macOS version delivers AMOS (Atomic Stealer), which contains anti-VM detection capabilities to evade analysis. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The threat actors create legitimate-looking Reddit posts claiming to provide free lifetime access to premium TradingView features. The password for unpacking these archives is consistently provided as “github” to appear legitimate while tricking security systems.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 21 Mar 2025 08:45:16 +0000