The notorious Atomic macOS Stealer (AMOS) malware has received a dangerous upgrade that significantly escalates the threat to Mac users worldwide. For the first time, this Russia-affiliated stealer is being deployed with an embedded backdoor , transforming what was once a “smash-and-grab” data theft tool into a platform for sustained surveillance and system compromise.
This evolution represents a critical escalation in the malware's capabilities, allowing attackers to maintain persistent access to compromised macOS systems, execute remote commands, and establish long-term control over victim machines. According to cybersecurity researchers at Moonlock, MacPaw's security division, this marks only the second known case of backdoor deployment targeting macOS users at a global scale , following similar tactics employed by North Korean threat actors. The malware campaigns have already infiltrated over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada being among the most affected regions.
What is Atomic Stealer?
Atomic Stealer, also known as AMOS, first appeared in April 2023 and rapidly established itself as one of the most dangerous info-stealing malware families targeting macOS users. AMOS also targets data from browser extensions, boasting support for over 100 extensions.
Dual Attack Vectors
The upgraded AMOS employs two primary distribution methods. The first involves websites offering cracked or counterfeit software. The second is through sophisticated spear-phishing campaigns that target high-value individuals, particularly cryptocurrency holders, artists, and freelancers. It deploys hidden files named “.helper” and “.agent” to maintain covert operations and evade detection. The backdoor communicates with C2 servers by sending HTTP POST requests every 60 seconds to receive new tasks.
How to Stay Protected
Security experts recommend that Mac users take multiple protective measures. Implementing strong security measures, including antivirus and anti-malware software, as well as endpoint detection and response (EDR) solutions, is crucial. If you suspect an infection, immediately disconnect from the internet, run a full system scan with a reputable antivirus program, and change all important passwords. The evolution of AMOS underscores that macOS is not immune and requires the same security vigilance as other operating systems.