An AMOS malware campaign has been discovered utilizing GitHub repositories to distribute malicious files. The attackers created a fake Ledger Live app that prompts users to enter their secret phrases, which are then exfiltrated. The malware uses obfuscation techniques, including base64 encoding and custom XOR operations. The campaign targets cryptocurrency users, specifically those using hardware wallets. The malware is distributed through DMG files and ZIP archives, containing both x64 and ARM64 versions of AMOS. The attackers use multiple domains for command and control, and the malware performs checks to detect virtual environments.