Atomic macOS Info-Stealer Upgraded With New Backdoor to Maintain Persistence

The notorious Atomic macOS Stealer (AMOS) malware has received a dangerous upgrade that significantly escalates the threat to Mac users worldwide.

For the first time, this Russia-affiliated stealer is being deployed with an embedded backdoor, allowing attackers to maintain persistent access to compromised systems, execute remote commands, and establish long-term control over victim machines.

This represents the most significant evolution of AMOS since its emergence, transforming what was once a “smash-and-grab” data theft tool into a platform for sustained surveillance and system compromise.

According to cybersecurity researchers at Moonlock, MacPaw’s security division, this marks only the second known case of backdoor deployment targeting macOS users at a global scale, following similar tactics employed by North Korean threat actors.

The malware campaigns have already infiltrated over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most severely affected regions.

The backdoored version of AMOS now threatens to provide attackers with full access to thousands of Mac devices worldwide.

Technical Sophistication and Attack Vectors

The upgraded AMOS employs two primary distribution methods: websites offering cracked or counterfeit software, and sophisticated spear-phishing campaigns targeting high-value individuals, particularly cryptocurrency holders.

The spear-phishing attacks often masquerade as staged job interviews, typically targeting artists and freelancers who are asked to provide system passwords under the guise of enabling screen sharing for interviews.

Once executed, the malware establishes persistence through a complex chain of components, including a trojanized DMG file, bash wrapper scripts, and Terminal aliases designed to bypass macOS Gatekeeper protections.

The backdoor maintains communication with command-and-control servers located at IP addresses 45.94.47.145 and 45.94.47.147, sending HTTP POST requests every 60 seconds to receive new tasks and commands.

The AMOS threat group appears to be following established patterns pioneered by North Korean cybercriminals, who have successfully combined backdoors with stealers in macOS attacks.

However, while North Korean groups typically focus on quick cryptocurrency theft, the AMOS backdoor is designed for long-term persistence and extended system compromise.

The malware creates a LaunchDaemon with the label “com.finder.helper” that ensures the backdoor survives system reboots.

It deploys a multi-layered approach using hidden files named “.helper” and “.agent” to maintain covert operations and evade detection.

Security researchers have observed a rapid increase in unique AMOS binary samples since the beginning of 2024, indicating active development and deployment.

The malware-as-a-service (MaaS) industry’s growth suggests that more variants of the updated Atomic macOS Stealer will likely emerge, with enhanced capabilities for detection evasion and system penetration.

Protection and Recommendations

The evolution of AMOS from a simple data stealer to a persistent backdoor significantly increases the risk to victims, transforming one-time breaches into long-term compromises.

Security experts recommend that Mac users employ additional anti-malware software, remain vigilant against social engineering tactics, and reduce their digital footprint to minimize exposure to targeted attacks.

The cybersecurity community continues to monitor AMOS operations, with researchers sharing threat intelligence to help security teams update their defensive measures against this evolving menace to macOS users worldwide.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free