An Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps

Sept. 4, 2025, 9:44 p.m.

Description

This analysis examines a campaign distributing Atomic macOS Stealer (AMOS), targeting macOS users through fake 'cracked' applications. Attackers use two main delivery methods: malicious .dmg installers and terminal commands that bypass Gatekeeper protection. AMOS employs rotating domains to evade detection and steals a wide range of sensitive data, including credentials, browser information, cryptocurrency wallets, and system files. The campaign demonstrates sophisticated tactics, adapting to macOS security improvements and leveraging social engineering. The report emphasizes the importance of comprehensive endpoint detection, user education, and defense-in-depth strategies to combat such threats.

External References

https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
https://otx.alienvault.com/pulse/68b9d269dd0574cd8c93b44a
Tags
social engineering
stealer
persistence
macos
data exfiltration
amos
atomic macos stealer
2025-09-04
cracked apps
gatekeeper bypass

Date

  • Created: Sept. 4, 2025, 5:54 p.m.
  • Published: Sept. 4, 2025, 5:54 p.m.
  • Modified: Sept. 4, 2025, 9:44 p.m.

Attack Patterns