- Atomic Stealer, or AMOS, is no longer just a pure infostealer, experts warn
- The tool now comes with a backdoor and a persistence mechanism
- A new variant was seen circulating in the wild
Atomic Stealer (AMOS), one of the most dangerous infostealer malware threats on the macOS ecosystem, just got a significant upgrade that makes it even more dangerous, experts have warned.
A new version of the malware was spotted sporting a backdoor that not only allows persistent access and survives reboots, but also grants the attackers the ability to deploy any other malware on the compromised device, as well.
The news comes courtesy of MacPaw’s cybersecurity arm, Moonlock, who were tipped off by an independent researcher with the alias g0njxa., who noted the backdoored version of Atomic macOS Stealer now has the potential to gain full access to thousands of Mac devices worldwide.
Get 55% off Incogni’s Data Removal service with code TECHRADAR
Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.View Deal
A popular infostealer
AMOS has been around for years, establishing itself as the go-to stealer malware used in many major hacking campaigns. Until now, it was capable of extracting a wide range of data, including browser-stored passwords and keychains, autofill data, cryptocurrency wallet information, system data, and different files. It was also able to bypass macOS protections, tricking Gatekeeper and other macOS security features.
It was sold as MaaS (malware-as-a-service) on underground forums, and often distributed via fake apps and malicious websites.
We last heard of AMOS in early June 2025, when Russian threat actors used the popular ClickFix method to deploy it against their targets. At the time, security researchers from CloudSek reported multiple websites spoofing Spectrum, a US-based telecommunications provider, to deliver the malware.
In early January, software developer Ryan Chenkie spotted a malicious campaign on Google, promoting a fake version of Homebrew, an open source package manager for macOS and Linux that was, in fact, AMOS.
“AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected,” the researchers warned.
Via BleepingComputer
You might also like
- Dangerous new MacOS malware is targeting Apple users everywhere – here’s what you need to know
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers