AMOS (Atomic macOS Stealer) Malware Targeting macOS Systems

The Atomic macOS Stealer (AMOS) is a malware-as-a-service (MaaS) that has become a significant threat to macOS systems. Sophos X-Ops reported that AMOS accounted for almost 40% of their macOS protection updates in 2025, more than double any other macOS malware family. It has been tracked since at least April 2023 and is distributed through social engineering techniques, including ClickFix ruses, fake installers, and lures related to AI models. AMOS is designed to steal Keychain data, browser credentials, cookies, autofill information, and other high-value artifacts like cryptocurrency wallet data, enabling rapid account takeover and follow-on attacks. Defenders have observed repeated password prompting until the victim provides their macOS password, which is then used to perform privileged actions.

Attack Chain

1. The user is tricked into executing a command in the Terminal through social engineering (ClickFix).
2. A first-stage bootstrap script is downloaded from hxxps://sphereou[.]com/cleanera and executed using echo <b64> | base64 -d | bash.
3. The malware prompts the user for their macOS system password and validates it locally using dscl . -authonly "$username" "$password", storing the password in a hidden file.
4. A second-stage payload is downloaded from hxxps[://]sphereou[.]com/cleaner3/update and saved to /tmp/update. Extended attributes are removed using xattr -c /tmp/update, and the file is executed.
5. Anti-analysis routines check for virtualized environments (QEMU, VMware, KVM) by querying system_profiler data via osascript.
6. The malware collects user and system data, including Keychain database, macOS password, Firefox and Chrome profile data, Apple Notes, extension storage, host and system profile data, and cryptocurrency-related information.
7. Stolen data is archived and prepared for exfiltration to attacker infrastructure. Exfiltration targets include IP address 38[.]244[.]158[.]56.
8. Persistence is established using LaunchDaemon. The system registers with a command-and-control (C2) server such as hxxp://45[.]94[.]47[.]204/api/join/ and hxxp://45[.]94[.]47[.]204/api/tasks/.

Impact

AMOS steals sensitive information like credentials, cookies, autofill data, and cryptocurrency wallet information. It can lead to account compromise, financial loss, and further attacks. Sophos reported that AMOS accounted for almost 40% of their macOS protection updates in 2025.

Recommendation

• Monitor process creations for execution of commands using echo <b64> | base64 -d | bash via the Sigma rule “Detect AMOS Stealer Bootstrap Execution”.
• Monitor network connections to the C2 IP addresses 45[.]94[.]47[.]204 and the data exfiltration IP address 38[.]244[.]158[.]56 at the firewall or proxy level.
• Monitor file creation events for the creation of hidden password files under /Users/$username/.pass via the Sigma rule “Detect AMOS Stealer Password File Creation”.