Atomic macOS Stealer includes a backdoor for persistent access
Essential information
- Published
- 08/08/2025 17:08
- Modified
- 10/08/2025 21:47
- Tags
- 2025-07-10 2025-08-08 amos atomic macos stealer backdoor command and control cryptocurrency data exfiltration macos persistent access russia-affiliated spear-phishing
- Related entities
- 6 observables, 5 techniques (mitre), 6 others
Description
The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat group has expanded its capabilities beyond data exfiltration, now enabling full system compromise. The malware's distribution vectors include websites offering cracked software and spear phishing campaigns targeting high-value individuals. The infection process involves a trojanized DMG file, bash scripts, and AppleScript for execution and persistence. The backdoor communicates with command-and-control servers, fetching and executing tasks on compromised systems. This evolution represents a significant escalation in both capability and intent, posing a higher risk to macOS users worldwide.