Crypto wallets are being hit by a new Mac infostealer

Bad Bots
(Image credit: Gonin / Shutterstock)

Security experts have raised warnings about a new piece of malware that targets MacOS devices to steal sensitive information including saved passwords, credit card numbers and data from over 50 cryptocurrency browser extensions.

Dubbed 'Atomic' - also known as 'AMOS' - the threat is being sold on the infamous encrypted messaging app Telegram, which has a reputation as a platform for sharing illicit material and content, for $1,000 per month.

It comes with several features that make it easier for threat actors to carry out their crimes, such as a web panel to help management their victims, a MetaMask brute-forcer, a cryptocurrency checker, a dmg installer, and the ability to receive stolen logs on Telegram.


Researchers at both Trellix and Cyble labs have been tracking the malware, and found that the latest version release was on April 25, suggesting that developments and updates are ongoing.

What's more, the tool is proving hard to detect, with under 2% of antivirus software flagging the dmg file as malicious. 

Threat actors can infect users with the malware via the usual methods, such as phishing emails, social media posts, malvertising campaigns, bad torrents and the like. 

When the victim opens the dmg file, they are given a fake prompt to enter their master password for their device, which the malware steals to gain entry. It then tries to steal user information saved in Apple's proprietary password manager Keychain. 

It then tries to steal information from installed software on the system, such desktop cryptocurrency wallets from the likes of Electrum, Binance, Exodus, and Atomic, as well as 50 other wallet extensions which include Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, and BinanceChain.

Web browser data is also extracted, such as passwords and payment cards saved on Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, and Vivaldi. System information such as model name, serial numbers, hardware UUID, RAM size and core count is also scoured.

Atomic can also steal files directly from directories such as the Desktop and Documents folders. But in doing this, the malware has to request permission from the system, which the user is notified of, so this may give them opportunity to spot the infection. 

The stolen data is compressed into a zip file and sent to the command and control server of the threat actor, which, interestingly, has the same IP address as that used by the Raccoon Stealer, suggesting a link between the two. 

Apple devices aren't usually targeted as much with malware as Windows machines, but it appears this is beginning to change, as a recent report has claimed that such threats are on the rise.

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.