Insikt Group links Vortax—a self-proclaimed meeting software—to a campaign delivering macOS infostealers Rhadamanthys, Stealc, and AMOS, targeting cryptocurrency users and led by threat actor markopolo. The operation reveals an expansive network of malicious macOS apps, ties to prior Web3 gaming campaigns, and credential harvesting activities, signaling evolving macOS threats.
#Vortax #Rhadamanthys #Stealc #AMOS #markopolo #macOS #Web3Gaming #RussianMarket #2easyShop
#Vortax #Rhadamanthys #Stealc #AMOS #markopolo #macOS #Web3Gaming #RussianMarket #2easyShop
Keypoints
- Vortax, a purported virtual meeting software, distributes three macOS infostealers—Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS)—to cryptocurrency users.
- The campaign is operated by the threat actor markopolo and points to an expansive network of malicious macOS applications.
- Vortax campaigns connect to a previously reported Web3 gaming campaign, suggesting the same actor is behind both efforts.
- markopolo uses shared hosting and C2 infrastructure to stay agile and pivot to new scams quickly when detected.
- The activity indicates a widespread credential harvesting operation, potentially positioning markopolo as an initial access broker on dark web shops like Russian Market or 2easy Shop.
- Mitigations emphasize keeping AMOS detections up to date, user education about unapproved software, strict download controls, user reporting, and leveraging Recorded Future tools for threat visibility.
MITRE Techniques
- [T1036] Masquerading – The actor uses Vortax, a purported meeting software, to disguise malware delivery. Quote: “Vortax, a supposed virtual meeting software…”
- [T1555] Credential Access – The campaign indicates a widespread credential harvesting operation. Quote: “‘credential harvesting operation’.”
- [T1071] Web Protocols – The operation relies on shared hosting and C2 infrastructure to pivot to new scams. Quote: “markopolo uses shared hosting and C2 infrastructure for agility, quickly pivoting to new scams when detected.”
Indicators of Compromise
- [Malware] Rhadamanthys, Stealc, and AMOS – Infostealer families distributed by Vortax; context: three potent information stealers delivered after installation.
- [Threat Actor] markopolo – Operator behind the Vortax-infostealer campaign and broader macOS threat network.
- [Software/Tool] Vortax – Self-proclaimed meeting software used to deliver infostealers.
- [Dark Web Market] Russian Market, 2easy Shop – Dark web venues mentioned as potential ecosystems for credential harvesting operations.
- [URL] https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gaming, https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers – Campaign and background references.
- [URL] Original Source – https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers