An Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps
Essential information
- Published
- 04/09/2025 17:54
- Modified
- 04/09/2025 21:44
- Tags
- 2025-09-04 amos atomic macos stealer cracked apps data exfiltration gatekeeper bypass macos persistence social engineering stealer
- Related entities
- 9 techniques (mitre)
Description
This analysis examines a campaign distributing Atomic macOS Stealer (AMOS), targeting macOS users through fake 'cracked' applications. Attackers use two main delivery methods: malicious .dmg installers and terminal commands that bypass Gatekeeper protection. AMOS employs rotating domains to evade detection and steals a wide range of sensitive data, including credentials, browser information, cryptocurrency wallets, and system files. The campaign demonstrates sophisticated tactics, adapting to macOS security improvements and leveraging social engineering. The report emphasizes the importance of comprehensive endpoint detection, user education, and defense-in-depth strategies to combat such threats.