Atomic Stealer (macOS) (also known as AMOS, Atomic macOS Stealer) is a macos malware active since 2023. macOS information stealer. Key characteristics include: Keychain passwords, browser data, crypto wallets, file grabber, $1000/month MaaS, malvertising delivery.
Overview & Background
macOS information stealer. First identified in 2023, this threat is attributed to eCrime (MaaS).
Atomic Stealer remains an active threat. Organizations should implement detection rules and monitor for indicators associated with this macos malware.
- Category: macOS Malware
- Active since: 2023
- Attribution: eCrime (MaaS)
- Also known as: AMOS, Atomic macOS Stealer
Technical Analysis
Atomic Stealer employs the following capabilities and techniques:
- Keychain Passwords: Core functionality
- Browser Data: Core functionality
- Crypto Wallets: Core functionality
- File Grabber: Core functionality
- $1000/Month Maas: Core functionality
- Malvertising Delivery: Core functionality
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Common delivery vector |
| Execution | T1204.002 Malicious File | User-triggered execution |
| Persistence | T1547.001 Registry Run Keys | Autostart persistence |
| Defense Evasion | T1027 Obfuscated Files | Payload obfuscation |
| C2 | T1071.001 Web Protocols | HTTP/HTTPS C2 |
Detection & Defense
- Endpoint detection: Deploy behavioral detection rules for Atomic Stealer indicators
- Network monitoring: Monitor for C2 traffic patterns and anomalous connections
- Threat intelligence: Track Atomic Stealer IOCs and campaign updates
- Security awareness: Train users to recognize phishing and social engineering
- Patch management: Keep systems updated to prevent exploitation
Defend Against Atomic Stealer
Mjolnir Security provides detection and response capabilities against Atomic Stealer and similar threats.
- Proactive Threat Hunting Hunt for Atomic Stealer indicators and TTPs within your environment.
- Threat Intelligence Monitor Atomic Stealer campaigns and infrastructure changes.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts