Trend™ Research has uncovered Atomic macOS Stealer (AMOS), a new malware campaign that tricks macOS users into installing a data-stealing Trojan disguised as cracked software.
Leveraging fake application downloads and copy-and-paste Terminal prompts, AMOS bypasses Gatekeeper protections. It rotates domains to evade detection, posing serious risks to enterprises as they increasingly embrace Apple devices.
Deceptive Installation Techniques Exploit Gatekeeper and Terminal Prompts
Attackers lure victims to malicious sites offering “cracked” versions of popular macOS apps. In the first method, users download a randomly named .dmg installer (e.g., Installer_v.2.13.dmg), which drops an AppleScript payload into /tmp and configures a LaunchDaemon (com.finder.helper.plist) to run a hidden .agent script.
Although macOS Sequoia’s Gatekeeper blocks unsigned installers, users can override warnings, enabling AMOS to establish persistence by executing its binary under the logged-in user’s context.
The second method presents a fake CAPTCHA prompt instructing users to paste a curl command into Terminal, fetching and running install.sh from rotating domains such as goatramz[.]com and letrucvert[.]com.
The script escalates privileges by prompting for the user’s password, grants Finder control permissions, performs antisandbox checks, and then harvests credentials, browser cookies, cryptocurrency wallets, Telegram and OpenVPN profiles, Apple Notes, Keychain items, and user documents before compressing and exfiltrating the data via HTTPS POST requests to attacker-controlled servers.
Defense-in-Depth Strategies to Counter AMOS Campaign
Trend Vision One™ Services – Managed Detection and Response provided critical visibility into AMOS’s infection chain.
Workbench alerts for suspicious process creation, credential theft, and data exfiltration, combined with Trojan Spy and blocked hacking tool detections, allowed analysts to map initial access through sites like haxmac[.]cc and rotating redirectors (e.g., im9ov070725iqu[.]cfd).
To defend against AMOS, organizations must enforce strict Gatekeeper settings and disable overrides for unsigned software, ensure macOS systems are fully updated, and monitor endpoints for unauthorized curl executions, unexpected LaunchDaemon registrations, and AppleScript activities from temporary directories.
Network teams should inspect outbound POST requests for anomalous destinations and custom headers. User training is equally vital: employees need clear warnings about the dangers of cracked software and unsolicited Terminal prompts.
A layered security posture combining endpoint visibility, network monitoring, and proactive threat hunting will raise the barrier for attackers exploiting living-off-the-land techniques on macOS.
Continuous incident response capabilities will ensure swift containment as adversaries refine domain rotation and delivery methods.
Indicators of Compromise
File Name SHA 256 Detection update 7a66c1a25b7caee9b6cc26a3199182379b6cdecc8196ac08be9fe03b4d193d6a Trojan.MacOS.AMOS.PFH app 4a33e10c87795e93c10de3d1a59937909d0093cac937e2a09d3242e7b17a36ce Trojan.MacOS.AMOS.PFH install.sh 3ecf98f90cb170475eef315dad43e125b14757d7fbfdd213d5221c4e31467ee9 Trojan.SH.AMOS.AA update aa534e2fc19c970adc6142cda3f0a3c4309d6e3e (SHA1) TrojanSpy.MacOS.AMOSCPT.MANP Installer.dmg df92d2aac76ad76edeeb5fade987e1111d2742e7 (SHA1) TrojanSpy.MacOS.AMOS.MANP
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=Atomic Stealer macOS - Trend™ Research has uncovered Atomic macOS Stealer (AMOS), a new malware campaign that tricks macOS users.){kind=link}