One of the biggest security threats to Apple systems just got a major upgrade - here's what we know

News
By published

AMOS can now survive reboots, experts warn

An image of macOS’s app switcher.
(Image credit: Image credit: MacFormat)
  • Atomic Stealer, or AMOS, is no longer just a pure infostealer, experts warn
  • The tool now comes with a backdoor and a persistence mechanism
  • A new variant was seen circulating in the wild

Atomic Stealer (AMOS), one of the most dangerous infostealer malware threats on the macOS ecosystem, just got a significant upgrade that makes it even more dangerous, experts have warned.

A new version of the malware was spotted sporting a backdoor that not only allows persistent access and survives reboots, but also grants the attackers the ability to deploy any other malware on the compromised device, as well.

The news comes courtesy of MacPaw’s cybersecurity arm, Moonlock, who were tipped off by an independent researcher with the alias g0njxa., who noted the backdoored version of Atomic macOS Stealer now has the potential to gain full access to thousands of Mac devices worldwide.

Get 55% off Incogni's Data Removal service with code TECHRADAR

Get 55% off Incogni's Data Removal service with code TECHRADAR

Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.

View Deal

AMOS has been around for years, establishing itself as the go-to stealer malware used in many major hacking campaigns. Until now, it was capable of extracting a wide range of data, including browser-stored passwords and keychains, autofill data, cryptocurrency wallet information, system data, and different files. It was also able to bypass macOS protections, tricking Gatekeeper and other macOS security features.

It was sold as MaaS (malware-as-a-service) on underground forums, and often distributed via fake apps and malicious websites.

We last heard of AMOS in early June 2025, when Russian threat actors used the popular ClickFix method to deploy it against their targets. At the time, security researchers from CloudSek reported multiple websites spoofing Spectrum, a US-based telecommunications provider, to deliver the malware.

In early January, software developer Ryan Chenkie spotted a malicious campaign on Google, promoting a fake version of Homebrew, an open source package manager for macOS and Linux that was, in fact, AMOS.

"AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected," the researchers warned.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.