- Atomic Stealer or Amos is no longer just a pure infoTealer, experts warn
- The tool now comes with a back door and a persistence mechanism
- A new variant was seen circulating in nature
Atomic Stealer (AMOS), one of the most dangerous infosteals -Malware threats on the macOS ecosystem, just got a significant upgrade that makes it even more dangerous, experts have warned.
A new version of Malware was stained with a back door that not only allows lasting access and survives restarts, but also gives attackers the opportunity to implement any other malware on the compromised device.
The news comes with the permission of MacPaw’s cybersecurity arm, Moonlock, who was tipped by an independent researcher with the alias G0NJXA.
A popular infoTeals
Amos has been around for years and establishes itself as the go-to votes malware used in many major hacking campaigns. Until now, it was able to extract a wide range of data, including browser-storage passwords and keychain, autofilldata, cryptocurrency-book information, system data and various files. It was also able to bypass macOS protection and fool gatekeeper and other macOS security features.
It was sold as MAAS (Malware-as-A-Service) on underground forums and often distributed via fake apps and malicious sites.
We last heard about Amos in early June 2025, when Russian threat actors used the popular clickfix method to implement it against their goal. At that time, Security Scientists from Cloudsk reported that several sites that forged Spectrum, an American-based telecommunications provider, to provide malware.
In early January, software developer Ryan Chenkie discovered a malicious campaign on Google and promoted a fake version of Homebrew, an Open Source package manager for MacOS and Linux, actually Amos.
“Amos Malware campaigns have already reached over 120 countries with the United States, France, Italy, the United Kingdom and Canada among the most affected,” the researchers warned.
Via Bleeping computer
