{"id":104247,"date":"2026-03-26T05:18:47","date_gmt":"2026-03-26T12:18:47","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=104247"},"modified":"2026-03-26T06:44:31","modified_gmt":"2026-03-26T13:44:31","slug":"osx-amos-hunting-c2s-in-trojanized-electron-asar-payloads","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/osx-amos-hunting-c2s-in-trojanized-electron-asar-payloads\/","title":{"rendered":"OSX\/Amos: Hunting C2s in Trojanized Electron ASAR Payloads"},"content":{"rendered":"

\"Finder-style<\/p>\n

Executive Summary<\/h2>\n

In March 2026, Intego Antivirus Labs investigated a macOS malware campaign delivering the OSX\/Amos<\/strong> stealer. During analysis, the infection chain led from stripped Mach-O binaries and heavily obfuscated shell scripts to an unusual final payload that appeared to be \u201cdata\u201d rather than a standard executable.<\/p>\n

That payload turned out to be an Electron ASAR (Atom Shell Archive)<\/strong> \u2014 a growing trend in macOS threats. Instead of shipping compiled binaries, attackers increasingly trojanize legitimate cross-platform Electron applications<\/strong> by replacing the core ASAR archive with a weaponized version that contains malicious logic.<\/p>\n

In this case, the trojanized app masqueraded as Ledger Live. It combined a TLS validation bypass<\/strong> with a convincing phishing overlay designed to capture cryptocurrency wallet Secret Recovery Phrases<\/strong> and exfiltrate them to attacker infrastructure.<\/p>\n

This write-up walks through a practical triage workflow to identify an ASAR payload, unpack it, locate the execution entry point, and extract actionable C2 infrastructure<\/strong>.<\/p>\n

Identifying the ASAR archive<\/h2>\n

When a suspicious file doesn\u2019t present obvious magic headers, the fastest path forward is reading raw bytes. A quick hexdump revealed an Electron ASAR signature:<\/p>\n

hexdump -C -n 100 payload_file<\/p>\n

The key signal is a 16-byte header followed immediately by a JSON structure beginning with {“files”:{…}. That combination is an unmistakable ASAR fingerprint.<\/p>\n

Electron apps package internal source code (JavaScript\/HTML\/CSS) and assets into ASAR archives. The JSON block acts as a file allocation table mapping the virtual directory structure, followed by the raw bytes of each bundled file.<\/p>\n

Why this matters:<\/strong> If the payload is an ASAR, you\u2019re likely looking at the core logic<\/i> of a trojanized Electron application \u2014 including the code responsible for credential theft, UI overlays, and outbound network communication.<\/p>\n

Extracting the payload<\/h2>\n

To analyze the JavaScript logic, the ASAR must be unpacked. In many analysis environments, npx asar extract isn\u2019t available, so it helps to have a second option.<\/p>\n

Option A: Standard Node.js tooling (when available)<\/h3>\n

npx asar extract app.asar unpacked_asar<\/p>\n

Option B: Python-based extraction (fast fallback on macOS)<\/h3>\n

If you have Python available, you can use the asar module to extract the archive.<\/p>\n

Note: In clean lab environments, the exact install and invocation method may differ. The key goal is simply: extract the ASAR into a directory you can inspect.<\/strong><\/div>\n

Once extracted, you should end up with a directory that resembles a Node\/Electron project (including package.json and bundled Webpack output).<\/p>\n

Finding the entry point<\/h2>\n

In an unpacked Electron app, the first stop is package.json. This file acts as the roadmap and dictates which code executes first.<\/p>\n

cat unpacked_asar\/package.json<\/p>\n

The critical field is:<\/p>\n

    \n
  • main: the application\u2019s entry point (for example: .\/.webpack\/main.bundle.js)<\/li>\n<\/ul>\n

    This tells you exactly where to start hunting for injected logic.<\/p>\n

    Hunting the injection<\/h2>\n

    In trojanized Electron bundles, threat actors often:<\/p>\n

      \n
    • inject logic at the top<\/strong> before the legitimate app bootstraps, or<\/li>\n
    • append an obfuscated block at the bottom<\/strong> (commonly via eval() patterns)<\/li>\n<\/ul>\n

      In this sample, inspecting the start of the main bundle exposed the core compromise:<\/p>\n

      head -c 1000 unpacked_asar\/.webpack\/main.bundle.js<\/p>\n

      The \u201csmoking gun\u201d was the presence of an explicit TLS validation bypass:<\/p>\n

        \n
      • Electron command-line switch to ignore certificate errors<\/li>\n
      • NODE_TLS_REJECT_UNAUTHORIZED = ‘0’<\/li>\n<\/ul>\n

        There is no legitimate reason for a production cryptocurrency wallet application to globally disable TLS certificate validation.<\/p>\n

        Why attackers do this<\/h3>\n

        Stealer operators often rely on cheap, fast-changing infrastructure (expired, mismatched, or self-signed certificates). Without a TLS bypass, background exfiltration requests can throw certificate validation errors, crash the app, or create visible breakage that alerts the victim.<\/p>\n

        This makes the bypass a practical \u201creliability layer\u201d for malicious traffic \u2014 and a useful detection clue for defenders.<\/p>\n

        Uncovering the phishing overlay and C2<\/h2>\n

        Once the TLS bypass is identified, the next step is determining:<\/p>\n

          \n
        1. what data is being collected, and<\/li>\n
        2. where it\u2019s being sent<\/li>\n<\/ol>\n

          In this case, the .webpack\/ directory contained suspicious overlay HTML files such as:<\/p>\n

            \n
          • recovery-step-1.html<\/li>\n
          • recovery-step-2.html<\/li>\n
          • recovery-step-3.html<\/li>\n<\/ul>\n

            These files hijack the UI and prompt the user to \u201cverify\u201d their 12- or 24-word Secret Recovery Phrase.<\/p>\n

            Finding the exfiltration destination<\/h3>\n

            To locate the drop zone, focus on data-sending primitives in the overlay files (fetch, XMLHttpRequest, submit, action=).<\/p>\n

            grep -E -i -o ‘.{0,40}(action=|fetch\\(|XMLHttpRequest|submit).{0,40}’ \\<\/p>\n

            unpacked_asar\/.webpack\/recovery-step-*.html<\/p>\n

            Then extract URLs from the specific file(s) of interest and filter out known legitimate namespaces.<\/p>\n

            This workflow revealed the C2 endpoint used as the exfiltration drop zone:<\/p>\n

              \n
            • https:\/\/main.mon2gate.net\/modules\/wallets<\/li>\n<\/ul>\n

              When the victim submits the final recovery step, the overlay sends the seed phrase to attacker infrastructure \u2014 and it succeeds silently because the TLS bypass prevents certificate failures from blocking the request.<\/p>\n

              The evolving stealer ecosystem<\/h2>\n

              This isn\u2019t an isolated technique \u2014 it reflects a maturing macOS Malware-as-a-Service ecosystem. Trojanizing wallet applications by:<\/p>\n

                \n
              • disabling TLS validation, and<\/li>\n
              • injecting phishing overlays into Electron ASAR bundles<\/li>\n<\/ul>\n

                has become a repeatable playbook across multiple stealer families.<\/p>\n

                Attackers are also diversifying distribution. Beyond fake updates and cracked installers, recent campaigns have included novel delivery mechanisms designed to trick users \u2014 and in some cases, automated tools \u2014 into running the initial downloader.<\/p>\n

                Detection takeaways<\/h2>\n

                Even without full reverse engineering, defenders can quickly identify high-signal indicators in trojanized Electron apps:<\/p>\n

                  \n
                • ASAR payloads<\/strong> where a suspicious \u201cdata\u201d file reveals {“files”:{…} structure<\/li>\n
                • package.json entry points that route into unusually modified Webpack bundles<\/li>\n
                • Global TLS bypass indicators (certificate ignore flags, NODE_TLS_REJECT_UNAUTHORIZED)<\/li>\n
                • Presence of overlay-style HTML pages prompting for secrets (seed phrases, credentials)<\/li>\n
                • Outbound requests to non-vendor domains from overlay UI code (especially fetch() destinations)<\/li>\n<\/ul>\n

                  Indicators of Compromise<\/h2>\n

                  File indicators<\/h3>\n\n\n\n\n
                  Name<\/strong><\/td>\nSHA-256<\/strong><\/td>\nContext<\/strong><\/td>\n<\/tr>\n
                  ASAR payload<\/td>\neeb14ff7262367f8911
                  \n68268ca8d64a306968e57
                  \n9be1136cbd7a481076
                  \n98f405<\/td>\n                  		Trojanized Ledger Live app.asar containing overlay + TLS bypass<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

                  Network and infrastructure<\/h3>\n\n\n\n\n\n\n
                  Type<\/strong><\/td>\nIndicator<\/strong><\/td>\nContext<\/strong><\/td>\n<\/tr>\n
                  C2 endpoint<\/td>\nhttps:\/\/main.mon2gate.net\/
                  \nmodules\/wallets<\/td>\n                  		Exfiltration drop zone for stolen Secret Recovery Phrases<\/td>\n<\/tr>\n
                  Filesystem<\/td>\n.webpack\/recovery-step-*.html<\/td>\nPhishing overlay HTML injected into the application bundle<\/td>\n<\/tr>\n
                  VT collection<\/td>\nhttps:\/\/www.virustotal.com\/
                  \ngui\/collection\/fcdb78d87
                  \nf1e094d4d4a6dacaa70
                  \n38f3274291448704e
                  \n7913c390d6492002
                  \n11e\/summary<\/td>\n                  		Curated indicators and artifacts<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

                  What to know and what to do<\/h2>\n

                  Trojanized Electron apps are a reminder that macOS malware analysis increasingly requires web-application triage techniques \u2014 not only executable reversing. Being able to unpack ASAR archives, trace package.json entry points, and spot environment manipulations like TLS bypasses is key to extracting actionable IOCs quickly.<\/p>\n

                  For responders, the highest-value workflow is often: identify ASAR \u2192 unpack \u2192 find entry point \u2192 hunt injected logic \u2192 extract C2 from overlay\/exfil code<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"

                  Executive Summary In March 2026, Intego Antivirus Labs investigated a macOS malware campaign delivering the OSX\/Amos stealer. During analysis, the infection chain led from stripped Mach-O binaries and heavily obfuscated shell scripts to an unusual final payload that appeared to be \u201cdata\u201d rather than a standard executable. That payload turned out to be an Electron […]<\/p>\n","protected":false},"author":115,"featured_media":104248,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n