New Backdoor in Atomic macOS Stealer Enables Full Remote Access

The Atomic macOS Stealer (AMOS) has undergone a significant transformation, evolving from a notorious infostealer to a formidable backdoor-equipped malware with the ability to maintain persistent, remote access to compromised macOS systems.

This development, recently detailed by Moonlock Lab, marks a turning point in AMOS’s operational capabilities, raising the stakes for individual users, freelancers, and organizations that rely on macOS for their daily computing needs.

Advanced Persistence Through Backdoor Mechanism

Previously recognized for its proficiency in stealing browser data, system credentials, and cryptocurrency wallet information, AMOS now incorporates a sophisticated backdoor.

This new feature empowers threat actors to achieve ongoing control over infected machines, execute remote commands, and deploy additional payloads at will.

Unlike classic infostealers, which typically aim for quick data theft and exfiltration, the AMOS upgrade pivots towards long-term compromise, enabling adversaries to conduct surveillance, keylogging, and even potential lateral movement within networks.

According to a PolySwarm report, the integration of remote command execution distinctly elevates the threat landscape for macOS users, as persistent access survives reboots and system restarts.

The technical approach centers on stealth and endurance. AMOS deploys a hidden binary named .helper in the victim’s home directory, in tandem with a wrapper script called .agent to ensure uninterrupted execution.

To cement persistence, AMOS leverages AppleScript to install a LaunchDaemon named com.finder.helper, cleverly mimicking legitimate system processes.

This daemon ensures the backdoor initiates at system startup, exploiting stolen user credentials for administrative privileges.

Communication with command-and-control (C2) servers is maintained through periodic HTTP POST requests every 60 seconds, allowing continuous tasking and control from remote operators.

To further elude detection, AMOS obfuscates operational strings and checks for sandbox or virtual machine environments using the system_profiler command, seeking to thwart forensic analysis and automated defenses.

Global Reach via Spear Phishing

AMOS campaigns have been identified in over 120 countries, with the United States, United Kingdom, France, Italy, and Canada reporting the highest incident rates.

The primary distribution vectors encompass spear-phishing emails and websites touting cracked or repackaged software, with a particular focus on cryptocurrency owners and freelancers, such as artists.

Attackers often disguise their phishing attempts as legitimate recruitment or freelance offers, coercing victims to install malicious DMG files while requesting system passwords under pretextual scenarios (like enabling remote interviews).

Once the payload is triggered, AMOS seizes credentials, browser tokens, and wallet seeds while simultaneously planting its persistent backdoor.

The move to blend infostealing with persistent remote access mirrors tactics once seen in high-profile North Korean campaigns, where rapid data exfiltration was combined with durable footholds on target systems.

However, AMOS’s operators linked to Russia seem intent on maximizing long-term benefits, including post-compromise surveillance and ongoing access for espionage or financial gain.

The malware-as-a-service (MaaS) model powering AMOS suggests ongoing enhancements, with new features such as keylogging likely under development.

As the technical sophistication and operational tenacity of AMOS grow, the risks to macOS environments intensify.

Security experts urge users and organizations to bolster defenses by deploying modern endpoint protection, educating users about phishing lures, and monitoring for abnormal system daemons and hidden binaries.

AMOS’s evolution underscores the shifting threat landscape for macOS and the necessity for vigilance as attackers pursue sustained, covert access.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates