This episode exposes the growing menace of Atomic macOS Stealer (AMOS) — a rapidly evolving malware-as-a-service (MaaS) platform targeting macOS users worldwide. Once seen as a simple data stealer, AMOS has matured into a potent, long-term threat featuring keyloggers, a persistent backdoor, and system-level access, all designed to exfiltrate data and maintain control over compromised systems.
AMOS now enables threat actors to remotely execute commands, spy on users, and re-infect devices even after reboot, thanks to advanced macOS persistence techniques like LaunchDaemons and hidden binary scripts. Its infection chain relies on social engineering, counterfeit applications, and tampered DMG installers — making even savvy Mac users vulnerable.
This episode explores:
- AMOS’s evolution from stealer to full-platform malware with persistent remote access
- Key features of the latest version, including a keylogger and embedded backdoor capable of running arbitrary commands
- Real-world attack vectors, such as phishing campaigns, cracked software, poisoned torrents, and fake job ads targeting cryptocurrency holders and freelancers
- The use of macOS persistence mechanisms (LaunchDaemons, osascript, ScriptMonitor) and Gatekeeper evasion
- Cross-platform development in GoLang, allowing the malware to operate seamlessly across Mac architectures
- The global impact, with campaigns spanning over 120 countries and rising infection rates in the U.S., U.K., France, and Canada
- How AMOS compares to Cthulhu Stealer and North Korea-aligned tools like RustBucket and macOS BeaverTail
- Practical security steps to detect and mitigate AMOS, including IOC monitoring, digital signature verification, and behavioral endpoint defenses
AMOS has rapidly become one of the top three most detected macOS threats, signaling a paradigm shift in Mac-targeted malware. With crypto wallets, browser data, and personal credentials at risk, this episode is essential listening for anyone in cybersecurity, IT, or using Macs in high-risk industries.
