Insights, news, education and announcements from PolySwarm

Atomic Stealer Evolves

Written by The Hivemind | Jul 25, 2025 6:47:25 PM

Verticals Targeted: Cryptocurrency, Freelancers, Artists
Regions Targeted: United States, France, Italy, United Kingdom, Canada, others
Related Families: None

Executive Summary

The Atomic macOS Stealer (AMOS) has evolved with a new backdoor, enabling persistent access and remote command execution on compromised macOS systems. This escalation transforms AMOS into a significant threat, targeting individuals and requiring robust defenses to mitigate risks.

Key Takeaways

  • AMOS now includes a backdoor for persistent access, surviving reboots and enabling remote task execution.  
  • Distribution leverages spear phishing and cracked software, targeting cryptocurrency owners and freelancers.  
  • Campaigns have impacted over 120 countries, with notable activity in the U.S., U.K., France, Italy, and Canada.  
  • The backdoor uses LaunchDaemons and hidden files to maintain persistence and evade detection.

What is Atomic Stealer?

The Atomic macOS Stealer (AMOS), a prominent infostealer targeting Apple’s macOS ecosystem, has undergone a significant transformation, integrating a persistent backdoor that elevates its threat profile. Previously known for extracting sensitive data such as cryptocurrency wallet credentials and browser data, AMOS now enables attackers to maintain long-term control over compromised systems, execute remote commands, and potentially deploy additional payloads. This development, reported by Moonlock Lab, the cybersecurity division of MacPaw, marks a critical shift from one-time data theft to sustained system compromise, positioning AMOS as a formidable threat to macOS users globally.

AMOS campaigns have already impacted over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected regions. The malware’s distribution primarily relies on two vectors: websites offering cracked or counterfeit software and sophisticated spear-phishing campaigns targeting individuals, particularly cryptocurrency holders and freelancers such as artists. These phishing attacks often masquerade as job interview processes, tricking victims into installing trojanized DMG files by requesting system passwords under the pretext of enabling screen-sharing software. Once executed, AMOS extracts sensitive data, including passwords and seed phrases, while deploying a backdoor for ongoing access.

The backdoor’s technical implementation enhances AMOS’s persistence and stealth. It deploys a binary named `.helper`, stored as a hidden file in the victim’s home directory, and a wrapper script called `.agent` that ensures continuous execution. A LaunchDaemon, labeled `com.finder.helper`, is installed via AppleScript to guarantee the backdoor runs at system startup, leveraging stolen user credentials for elevated privileges. The backdoor communicates with command-and-control (C2) servers using HTTP POST requests every 60 seconds to receive tasks. To evade detection, AMOS employs string obfuscation and checks for sandbox or virtual machine environments using the `system_profiler` command, ensuring it remains covert during analysis.

This upgrade aligns AMOS with tactics previously observed in North Korean campaigns, which combine stealers with backdoors for rapid data exfiltration. However, AMOS’s Russia-affiliated developers appear focused on long-term persistence, enabling surveillance, keylogging, and potential lateral movement within networks. The malware-as-a-service (MaaS) model suggests further enhancements, with reports indicating potential keylogging features in development. 

The implications for macOS users are profound, as AMOS transcends traditional infostealer limitations, posing risks of prolonged compromise. As AMOS continues to evolve, proactive awareness and advanced endpoint protection are critical to safeguarding macOS environments against this persistent and escalating threat. PolySwarm analysts consider Atomic Stealer to be an evolving threat. 

IOCs

PolySwarm has multiple samples of Atomic Stealer.

 

8d8b40e87d3011de5b33103df2ed4ec81458b2a2f8807fbb7ffdbc351c7c7b5e

3402883ff6efadf0cc8b7434a0530fb769de5549b0e9510dfdd23bc0689670d6

f4976d9a90d2f9868fcaade1449ffcf9982ed2285ace90aafa7099ce246fd2ec

54b9576aad25d54d703adb9a26feaa5d80f44b94731ff8ecff7cf1ebc15cf3ff

11e55fa23f0303ae949f1f1d7766b79faf0eb77bccb6f976f519a29fe51ce838

ec11fd865c2f502c47f100131f699a5e0589092e722a0820e96bd698364eefdb

 

You can use the following CLI command to search for all Atomic Stealer samples in our portal:

$ polyswarm link list -f AtomicStealer

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post