Atomic macOS Info-Stealer Updated with New Backdoor for Persistent Access

The Atomic macOS Stealer (AMOS), a notorious piece of info-stealing malware targeting Apple users, has undergone a significant update, introducing an embedded backdoor for the first time.

This development, reported by Moonlock a cybersecurity division of MacPaw marks a critical escalation in the malware’s capabilities, allowing attackers to maintain persistent access to compromised macOS systems.

A Dangerous Evolution in macOS Malware

Unlike its previous focus on data exfiltration from cryptocurrency-related browser extensions and wallets, AMOS now enables remote command execution, full user-level access, and system persistence even after reboots.

This upgrade positions AMOS as one of the most dangerous threats to macOS users, with campaigns already spanning over 120 countries, including the United States, France, Italy, the United Kingdom, and Canada.

The addition of a backdoor transforms AMOS from a one-time data theft tool into a platform for long-term surveillance and exploitation.

The malware is primarily distributed through websites hosting cracked or fake software and sophisticated spear-phishing campaigns targeting high-value individuals, such as cryptocurrency holders.

From Data Theft to Full System Compromise

The infection process often mimics legitimate processes, such as job interviews, tricking victims into entering system passwords.

Once executed, AMOS deploys a trojanized DMG file that bypasses macOS Gatekeeper protections using a Mach-O binary, bash scripts, and AppleScript.

Beyond the initial data theft, the backdoor is established via persistence mechanisms like LaunchDaemon PLIST files, ensuring the malware survives system reboots.

The backdoor, hidden as “.helper” and supported by a “.agent” script, communicates with command-and-control (C2) servers to fetch tasks, execute shell commands, or self-delete, mirroring tactics seen in North Korean attack strategies.

Data exfiltration occurs over HTTP POST requests to specific IP addresses, while new features like keylogging are reportedly in testing, further expanding the threat’s potential.

This update, believed to be only the second instance of a globally scaled backdoor targeting macOS after North Korean campaigns, signifies a shift in intent, whether by the original Russia-affiliated AMOS developers or other actors modifying the code.

The active C2 infrastructure, along with URLs fetching malicious payloads (e.g., from isnimitz[.]com), indicates the campaign is in full swing.

Moonlock warns that the malware-as-a-service (MaaS) model could lead to more variants, enhancing evasion techniques and exploitation opportunities.

For Mac users, the risk now extends beyond stolen credentials to complete system compromise, necessitating immediate awareness and robust defenses like anti-malware tools to detect and block AMOS before it embeds itself.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.