Cybersecurity researchers have recently uncovered a colossal info-stealer malware operation attributed to the infamous "Marko Polo" hacker group. This widespread campaign involves thirty distinct operations, targeting a diverse array of demographics and system platforms.
The Scope of the Threat
The Marko Polo operatives have leveraged numerous distribution channels, including malvertising, spearphishing, and brand impersonation in sectors like online gaming, cryptocurrency, and software. These strategies aim to spread an alarming number of malware payloads—up to 50—including well-known threats such as AMOS, Stealc, and Rhadamanthys. According to Recorded Future’s Insikt Group, which has been closely monitoring this operation, the campaign has impacted thousands of users and potentially caused financial losses running into millions.
"Based on the widespread nature of the Marko Polo campaign, Insikt Group suspects that likely tens of thousands of devices have been compromised globally—exposing sensitive personal and corporate data," warns Recorded Future’s Insikt Group. "This poses significant risks to both consumer privacy and business continuity. Almost certainly generating millions of dollars in illicit revenue, this operation also highlights the negative economic effects of such cybercriminal activities."
Source: Recorded Future
Setting High-Value Traps
According to Insikt Group, the Marko Polo group primarily relies on spearphishing via direct messages on social media platforms to reach high-value targets. These targets include cryptocurrency influencers, gamers, software developers, and other individuals likely to handle valuable data or assets. Victims are often lured into downloading malicious software under the guise of legitimate job opportunities or project collaborations.
The group also uses fabricated brands unrelated to existing projects, such as Vortax/Vorion, VDeck (meeting software), Wasper, PDFUnity (collaboration platforms), SpectraRoom (crypto communications), and NightVerse (web3 game). In many cases, victims are directed to fake websites for virtual meetings, messaging, and game applications, where they inadvertently install the malware. Other campaigns distribute malware through executables (.exe or .dmg) found in torrent files.
Source: Recorded Future
Targeting Both Windows and macOS
The Marko Polo toolkit demonstrates the group’s capability to carry out multi-platform and multi-vector attacks. On Windows systems, HijackLoader is used to deliver Stealc—a general-purpose lightweight infostealer designed to collect data from browsers and cryptocurrency wallet apps—or Rhadamanthys, a more specialized stealer targeting a broad range of applications and data types.
Recent updates to Rhadamanthys include:
- A clipper plugin for diverting cryptocurrency payments to the attackers' wallets
- The ability to recover deleted Google Account cookies
- Windows Defender evasion techniques
For macOS users, Marko Polo deploys Atomic ('AMOS'), a stealer first seen in mid-2023. This malware is rented to cybercriminals for $1,000/month, enabling them to extract various data stored in web browsers. AMOS is capable of brute-forcing MetaMask seeds and stealing Apple Keychain passwords to access WiFi passwords, saved logins, credit card data, and other encrypted information stored on macOS.
Source: Recorded Future
The Growing Threat of Infostealer Malware
Malicious campaigns involving infostealer malware have seen massive growth over the years. Threat actors are increasingly targeting victims through, zero-day vulnerabilities, fake VPNs, fixes to GitHub issues, and (hilariously) StackOverflow.
These compromised credentials are typically used to breach corporate networks and conduct data theft campaigns (like the massive SnowFlake account breaches).
How to Stay Safe
To mitigate the risk of downloading and running infostealer malware on your system, follow these best practices:
Avoid Links from Strangers: Do not follow links shared by unknown individuals or sources.
Download from Official Sources: Ensure that you only download software from the official project websites. and carefully vet your software vendors prior to allowing access to your system.
Use Updated Antivirus Software: The malware used by Marko Polo is detected by most up-to-date antivirus software, so always scan downloaded files before executing them.
Conclusion
The AMOS infostealer malware operation by the Marko Polo hacker group is a coordinated, well funded, and evolving threat. Understanding its operations, staying informed, and adhering to best practices can significantly reduce your risk of falling victim to such malicious activities. Stay vigilant and prioritize your cybersecurity to protect your sensitive information and maintain business continuity.
Francis Borges
Founder / Security Engineer
Dynacomp IT Solutions
Comments