Headline
Fake Empire Podcast Invites Target Crypto Industry with macOS AMOS Stealer
Hackers are posing as Empire podcast hosts, tricking crypto influencers and developers with fake interview invites to deliver macOS AMOS Stealer malware.
A new phishing campaign is targeting developers and influencers in the crypto industry with fake interview requests that impersonate a popular Web3 podcast. The attackers pose as hosts, luring unsuspecting victims to websites mimicking platforms such as Streamyard and Huddle to distribute AMOS Stealer malware against macOS devices.
The latest scam surfaced only weeks after another scheme, reported in August 2025, where fraudsters posed as CoinMarketCap journalists to target crypto executives in a spear-phishing campaign.
****A fake podcast, real consequences** **
José A. Gómez Ledesma, a threat intelligence analyst from Quetzal Team, originally identified a phishing campaign targeting influencers and developers in the crypto industry.
The attackers impersonate hosts and producers of the popular Empire podcast, approaching victims via social media DMs under the pretext of interviewing them about recent projects and market forecasts. Once engaged, they suggest interviewing Streamyard or Huddle, sharing links to phishing sites that mimic the chosen platform.
When visiting the website, an error message is displayed saying something went wrong (either the browser is incompatible or it cannot connect to the platform) and that a desktop client should be downloaded and installed. A DMG (a macOS application installation disk) is then downloaded, posing as either Huddle or StreamYard.
A fake Streamyard DMG Installer for Mac
****The Setup** **
By installing the contents of the DMG, victims are actually infecting themselves with AMOS (Atomic macOS) Stealer, a trending threat creatively distributed and previously seen posing as popular apps such as DeepSeek.
The infection chain is quite elaborate, starting with the DMG installer, which invokes a Bash script heavily obfuscated with Base64. The encoded contents are deobfuscated, then XORed via Perl, and once again deobfuscated from Base64, generating an AppleScript that is subsequently executed.
A fake Huddle DMG Installer for Mac
This AppleScript simply looks for a hidden binary inside the volume named .Huddle or .Streamyard (Note the leading period, which denotes a hidden file in Unix systems.) This file is, in fact, the AMOS Stealer sample.
****The Afermath** **
By becoming infected with AMOS (or with virtually any information-stealer), victims place their digital lives in the hands of organised criminals. From banking apps to gaming accounts, login artefacts such as credentials and cookies are sold to the highest bidder, often for a surprisingly low price.
Some old advice still holds true when browsing the internet: do not download anything you see, and be cautious when dealing with strangers. You could end up with an unpleasant surprise.
Malicious Apple Script Loader
****IOCs and Summary** **
URL: streamyard.ai
SHA256:69b859db7397a04bb1f1c2ff9d987686b5ce0c64ec8fc716c783ed6dd755e291 SHA256:c275252592228b51b3934a9b3932d269c2f9132caad5f51ae54216ec147a8834
URL: https://x.com/BillyBitcoins
Domain: streamyard.ai
Domain: huddle01.com
URL: huddle01.com
SHA256:f7d138a4fa15215c4e747449f31b2b6b6726aed00a9cc9e3ec830df366c1437f SHA256:af4ba47f760ae08bce49c7b7c16e9dcff7df7eff53f27abc0c2a1eee1cea6085
FilePath: Huddle.Iwv
FilePath: Streamyard.ZTz
SHA256:9665dac619c7d17a2fafd32f2df77f27dc39135d31235a748bd95ac137005e9b SHA256:f7fe593806aa2b2486e2052c582b1b8423b2455bf9392fa42b1d2cb6d98ca897
****References** **
Original Intelligence Pulse: https://otx.alienvault.com/pulse/68c99d5ca31f8adcc38d0637