Atomic macOS Info-Stealer Enhanced with Backdoor to Ensure Persistence

The notorious Atomic macOS Stealer (AMOS), a favorite in the macOS malware landscape, has undergone a major transformation, adding an embedded backdoor to its arsenal.

This update marks a turning point for AMOS, allowing threat actors to achieve persistent access to compromised Macs, execute arbitrary commands from remote command-and-control (C2) servers, and expand their control over victim systems far beyond mere data theft.

Moonlock, the cybersecurity division of MacPaw, now rates AMOS as posing the highest risk seen from this malware to date, and notes it is only the second such case after attacks by North Korean APTs of backdoors being deployed at this scale on macOS globally.

Advanced Threats Targeting macOS at Scale

Long linked to Russia-affiliated cybercrime, the developers behind AMOS previously focused on exfiltrating sensitive data, especially from cryptocurrency browser extensions and cold wallets.

With its new backdoor functionality, however, AMOS transcends simple information theft, establishing user-level persistence and enabling full remote tasking on targeted machines, even after reboots.

This escalation now mirrors sophisticated attack chains previously associated with North Korean groups, who pioneered the combination of backdoors and stealers in macOS campaigns.

Distribution of the new AMOS variant has already impacted users in over 120 countries, including the United States, France, Italy, the United Kingdom, and Canada.

Infection vectors remain consistent, relying on websites offering cracked or trojanized software, as well as highly targeted spear phishing, especially against cryptocurrency holders and high-value freelancers.

Attackers typically lure victims into running disguised installers, using social engineering to bypass macOS protections and trick users into supplying their credentials.

New Infection Chain

Technically, the updated stealer retains its core Mach-O payload for data exfiltration over HTTP POST requests, but now delivers additional persistence modules: a .helper binary containing the main backdoor logic and an .agent script placed in the user’s home directory.

These are registered as LaunchDaemons, ensuring the backdoor is automatically relaunched at boot and remains hidden from casual inspection.

Communication with the C2 server now employs unique host identifiers, periodic polling for new commands, and the ability to execute shell commands or self-delete, greatly increasing long-term risk.

The methodology bears strong resemblance to past North Korean attacks, which used similar social engineering techniques, staged phishing, and secondary payloads to establish temporary but highly privileged access.

Unlike those campaigns, the AMOS upgrade appears aimed at creating a persistent, globally distributed backdoor platform for macOS, dramatically raising the stakes for both individual and enterprise defenders.

With the evolution of Atomic macOS Stealer into a dual-purpose platform combining stealer and backdoor operations the risk for Mac users has sharply increased.

The malware-as-a-service ecosystem is likely to accelerate further enhancements, raising both the technical sophistication and the threat footprint of AMOS.

According to the Report, Moonlock Lab and other security teams strongly recommend both improved anti-malware practices and heightened user awareness of phishing and social engineering risks.

The ability of AMOS to maintain persistence, evade detection, and enable re-infection underscores the importance of continued vigilance and rapid defensive updates.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates