Atomic macOS Stealer (AMOS), a well-known data-theft malware, has taken a sharp turn in how it reaches victims.
Instead of hiding inside cracked software downloads as it once did, threat actors now embed it within malicious OpenClaw skills — small add-on packages that extend AI agent capabilities on platforms like OpenClaw.
AMOS operates as a malware-as-a-service (MaaS) tool built to steal sensitive data from Apple users.
It harvests a wide range of information, including credentials, browser data, cryptocurrency wallet details, Telegram chats, VPN profiles, Apple keychain items, and files from common folders such as Desktop, Documents, and Downloads.
Trend Micro analysts identified a new AMOS variant embedded in OpenClaw skills and tracked the campaign across multiple repositories.
Threat actors had uploaded 39 malicious skills to ClawHub, SkillsMP, and GitHub, with over 2,200 malicious skills eventually discovered on GitHub alone.
This campaign marks a clear shift from earlier AMOS delivery methods and introduces a new form of supply chain attack targeting AI agent workflows.
The attack begins with a SKILL.md file that looks completely harmless. It tells the AI agent to install a fake prerequisite called “OpenClawCLI” from a malicious external website.
.webp)
When a less cautious model like GPT-4o processes the instruction, it either installs the tool silently or continuously prompts the user to install the fake “driver” manually.
.webp)
More capable models like Claude Opus 4.5 flag the skill as suspicious and refuse to proceed.
If the user or AI agent presses ahead, a Base64-encoded command is fetched and executed, dropping a Mach-O universal binary that runs on both Intel-based and Apple Silicon Mac machines.
.webp)
When macOS rejects the unsigned file, a fake password dialogue box appears, tricking the user into entering their system password — giving the malware exactly the access it needs to proceed.
Inside the Infection Chain
Once the password is entered, AMOS begins collecting data immediately.
It gathers the machine’s username and password, files from Desktop, Downloads, and Documents folders (including .pdf, .csv, .kdbx, and .docx formats), Apple keychain credentials, and Apple Notes.
The malware also targets 19 browsers for stored cookies, passwords, and credit card data, and can reach across 150 cryptocurrency wallets.
.webp)
All collected data is compressed into a ZIP archive and uploaded to a command-and-control (C&C) server at socifiapp[.]com.
Users are advised to verify the source of any OpenClaw skill before running it, avoid entering system passwords prompted by unfamiliar tools, test unvalidated skills in an isolated environment, and use containers to limit AI agent execution.
IoCs
| Type | Indicator | Description |
|---|---|---|
| URL | hxxps://openclawcli[.]vercel[.]app/ | Malicious skill delivery site |
| IP Address | 91.92.242[.]30 | Payload download server |
| URL | hxxp://91.92.242[.]30/ece0f208u7uqhs6x | Payload download URL |
| File Name | il24xgriequcys45 | Mach-O universal binary (AMOS payload) |
| C2 Server | socifiapp[.]com | Command-and-control exfiltration endpoint |
| Detection Name | Trojan.MacOS.Amos | AMOS malware detection name |
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
