{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ledger-wallet/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Firefox","Chrome","Chromium","macOS Keychain","Ledger Wallet","Trezor Suite","Apple Notes"],"_cs_severities":["high"],"_cs_tags":["macos","amos","infostealer"],"_cs_type":"advisory","_cs_vendors":["Apple","Microsoft"],"content_html":"\u003cp\u003eThe Atomic macOS Stealer (AMOS) is a malware-as-a-service (MaaS) that has become a significant threat to macOS systems. Sophos X-Ops reported that AMOS accounted for almost 40% of their macOS protection updates in 2025, more than double any other macOS malware family. It has been tracked since at least April 2023 and is distributed through social engineering techniques, including ClickFix ruses, fake installers, and lures related to AI models. AMOS is designed to steal Keychain data, browser credentials, cookies, autofill information, and other high-value artifacts like cryptocurrency wallet data, enabling rapid account takeover and follow-on attacks. Defenders have observed repeated password prompting until the victim provides their macOS password, which is then used to perform privileged actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user is tricked into executing a command in the Terminal through social engineering (ClickFix).\u003c/li\u003e\n\u003cli\u003eA first-stage bootstrap script is downloaded from \u003ccode\u003ehxxps://sphereou[.]com/cleanera\u003c/code\u003e and executed using \u003ccode\u003eecho \u0026lt;b64\u0026gt; | base64 -d | bash\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware prompts the user for their macOS system password and validates it locally using \u003ccode\u003edscl . -authonly \u0026quot;$username\u0026quot; \u0026quot;$password\u0026quot;\u003c/code\u003e, storing the password in a hidden file.\u003c/li\u003e\n\u003cli\u003eA second-stage payload is downloaded from \u003ccode\u003ehxxps[://]sphereou[.]com/cleaner3/update\u003c/code\u003e and saved to \u003ccode\u003e/tmp/update\u003c/code\u003e. Extended attributes are removed using \u003ccode\u003exattr -c /tmp/update\u003c/code\u003e, and the file is executed.\u003c/li\u003e\n\u003cli\u003eAnti-analysis routines check for virtualized environments (QEMU, VMware, KVM) by querying \u003ccode\u003esystem_profiler\u003c/code\u003e data via \u003ccode\u003eosascript\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware collects user and system data, including Keychain database, macOS password, Firefox and Chrome profile data, Apple Notes, extension storage, host and system profile data, and cryptocurrency-related information.\u003c/li\u003e\n\u003cli\u003eStolen data is archived and prepared for exfiltration to attacker infrastructure. Exfiltration targets include IP address 38[.]244[.]158[.]56.\u003c/li\u003e\n\u003cli\u003ePersistence is established using LaunchDaemon. The system registers with a command-and-control (C2) server such as \u003ccode\u003ehxxp://45[.]94[.]47[.]204/api/join/\u003c/code\u003e and \u003ccode\u003ehxxp://45[.]94[.]47[.]204/api/tasks/\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAMOS steals sensitive information like credentials, cookies, autofill data, and cryptocurrency wallet information. It can lead to account compromise, financial loss, and further attacks. Sophos reported that AMOS accounted for almost 40% of their macOS protection updates in 2025.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for execution of commands using \u003ccode\u003eecho \u0026lt;b64\u0026gt; | base64 -d | bash\u003c/code\u003e via the Sigma rule \u0026ldquo;Detect AMOS Stealer Bootstrap Execution\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the C2 IP addresses \u003ccode\u003e45[.]94[.]47[.]204\u003c/code\u003e and the data exfiltration IP address \u003ccode\u003e38[.]244[.]158[.]56\u003c/code\u003e at the firewall or proxy level.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for the creation of hidden password files under \u003ccode\u003e/Users/$username/.pass\u003c/code\u003e via the Sigma rule \u0026ldquo;Detect AMOS Stealer Password File Creation\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T11:40:09Z","date_published":"2026-05-14T11:40:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-amos-stealer/","summary":"The Atomic macOS Stealer (AMOS) is a prevalent malware-as-a-service targeting macOS, distributed via social engineering techniques like ClickFix ruses and fake installers, designed to steal sensitive data such as credentials and cryptocurrency wallets, leading to potential account compromise and further attacks.","title":"AMOS (Atomic macOS Stealer) Malware Targeting macOS Systems","url":"https://feed.craftedsignal.io/briefs/2026-05-amos-stealer/"}],"language":"en","title":"CraftedSignal Threat Feed — Ledger Wallet","version":"https://jsonfeed.org/version/1.1"}