A new information stealer for Apple macOS, called Atomic macOS Stealer (AMOS), is being advertised on Telegram for $1,000 per month.


According to a recent research from Cyble, the malware can steal various types of information from the victim’s machine, including passwords, system information, and files. It can also extract data from web browsers and cryptocurrency wallets.

The malware takes the form of an unsigned disk image file and urges the victim to enter their system password on a bogus prompt to escalate privileges and carry out its malicious activities.


The initial intrusion vector used to deliver the malware is not clear, but it’s possible that users are manipulated into downloading and executing it under the guise of legitimate software. The malware could be installed by exploiting vulnerabilities or hosting on phishing websites.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Execution T1204.002 User Execution: Malicious File
Credential Access T1110 Brute Force
Credential Access T1555.001 Keychain
Credential Access T1555.003 Credentials from Web Browsers
Discovery T1083 File and Directory Discovery
Command and Control T1132.001 Data Encoding: Standard Encoding
Exfiltration T1041 Exfiltration Over C&C Channel

Indicators of Compromise