Warning: AMOS Stealer Variant Targets macOS

Specialists at Bitdefender have discovered a new variant of the malicious software AMOS Stealer (or Atomic Stealer), one of the most prevalent cyber threats for macOS users over the past year. According to Bitdefender experts, the new variant was identified during the examination of old and new samples of macOS malware, to enhance the detection capabilities of similar threats.

Suspicion was aroused by several small-sized (1.3 MB) macOS disk images. Detailed analysis revealed similarities between the new variant and RustDoor. Both variants are designed to collect confidential files from infected computers, with the current version being a more advanced iteration of the RustDoor script.


The new version boasts additional features. It gathers Cookies.binarycookies files from the Safari browser, files with specific extensions from particular locations, and utilizes the system_profiler utility to obtain system data.

Thus, attackers gain information about the technical specifications of the computer, operating system versions, connected monitors, and graphics cards. The archive is augmented with passwords, encryption keys, and certificates, indicating a growing interest in crypto platforms.

In this version, Python and Apple Scripting are combined unconventionally – the grabber() file executes a large block of Apple Script using the osascript -e command. The DMG files contain executable modules for Intel and ARM, which are used for data theft.

Upon opening, the Crack Installer application prompts the user to unpack the file. The Python script collects confidential data from various sources, including crypto wallets, browsers, and accounts.

The collected data is saved in a ZIP archive and sent to a C2 server via a POST request. The archive’s structure is confirmed by the server.

Currently, the new variant is virtually undetectable by antivirus programs. Bitdefender has published indicators of compromise to detect and neutralize this cyber threat.