The current AMOS version is capable of infecting both Intel-based and ARM-based Macs.
It contained only two repositories, or repos, named 2132 and 22.
However, no malware was submitted to the 22 repo since early February 2024.
DocCloud.exe accessed a FileZilla file transfer protocol (FTP) server at IP address 193.149.189[.
]199 using hardcoded credentials (username:ins; password:installer).
The resulting payload was then run as an argument to pythonw.exe.
This process was also used in carrying out multiple executions, resulting in Lumma and Vidar infostealers being dropped.
source: www.techworm.net
