AMOS Mac Malware Spreads via Fake Ads and Trojanized macOS Downloads
Researchers reported multiple campaigns distributing macOS infostealers tied to the AMOS/AtomicStealer ecosystem, a malware-as-a-service operation that steals credentials, browser data, cryptocurrency wallets, Apple Notes, files, and Keychain material from macOS Catalina and newer systems on Intel, M1, and M2 devices. Earlier reporting on related macOS stealers showed operators relying on social engineering, unsigned DMG files, and password prompts to collect sensitive data, package it into archives, and exfiltrate it to command-and-control servers, with some activity also summarized to Telegram channels.
More recent campaigns used malvertising and fake software or troubleshooting pages to lure users into running Terminal commands that fetched an AMOS variant known as "malext". Investigators said the malware used obfuscated shell commands, osascript, quarantine removal, anti-VM and sandbox checks, and in some cases installed persistence through a LaunchDaemon and helper scripts, while also trojanizing Ledger and Trezor applications and capturing administrator passwords. Reporting also linked AMOS delivery to fake CleanMyMac sites and AI-themed lures, indicating operators are rapidly rotating ad accounts and adapting infection vectors to broaden theft and remote access on macOS systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Fake CleanMyMac campaign reported delivering macOS malware
Cybernews reported a fake CleanMyMac-themed campaign targeting Mac users and delivering malware with cryptocurrency theft impacts. The report represents another publicly disclosed AMOS-related social-engineering distribution campaign affecting macOS users.
Researchers uncover AMOS 'malext' malvertising campaign
Researchers uncovered a large-scale malvertising campaign using fake Google Ads and malicious text-hosting pages to trick macOS users into running Terminal commands that installed an AMOS variant dubbed 'malext.' Google Ads Library data cited in the report showed more than 34 ads and at least 53 compromised ad accounts involved.
AMOS activity linked to operations active since late 2025
Researchers assessing later AMOS campaigns linked the activity to an AMOS-family operation that had been active since late 2025. This established a broader operational timeframe for the malware family beyond isolated detections.
Kroll reports a new AMOS infection vector tied to AI-themed lures
Kroll published research describing a new infection vector for AMOS and highlighting risks associated with AI adoption-themed social engineering. The report marked a new documented delivery method for the macOS infostealer family.
Atomic Stealer upgrade reported using encrypted payloads
A January 2024 report said Atomic Stealer for macOS had been updated to target Mac users with encrypted payloads. The disclosure marked a new technical development in the AMOS malware family beyond earlier reporting on its initial capabilities and malvertising distribution.
Atomic macOS Stealer delivered via malvertising campaign
Malwarebytes reported that Mac users were being targeted by a new malvertising campaign distributing Atomic macOS Stealer (AMOS). The report documented a new publicly disclosed delivery method for the malware family via malicious online advertising.
Researchers disclose OSX.MacStealer targeting macOS users
Uptycs researchers disclosed a new macOS infostealer dubbed OSX.MacStealer that targets files, browser data, cryptocurrency wallets, and Apple Keychain data on macOS Catalina and newer systems. The malware was reported to spread via unsigned DMG files using social engineering and to exfiltrate stolen data to command-and-control infrastructure while sending summaries to Telegram.
MacStealer is advertised as a macOS MaaS infostealer
A macOS information-stealing malware called MacStealer began being advertised on a dark web forum in early March as a malware-as-a-service offering priced at $100. The offering was described as still in early beta and lacking a builder or management panel.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Fake CleanMyMac campaign targets Macs, drains crypto | Cybernews
cybernews.com
Open sourceMalvertising Campaign Spreads AMOS ‘malext’ macOS Infostealer via Fake Text-Sharing Ads
gbhackers.com
Open sourceMalwarebytes Threat Alert | OSX.AtomicStealer
malwarebytes.com
Open sourceAtomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload
thehackernews.com
Open sourceMac users targeted in new malvertising campaign delivering Atomic Stealer
malwarebytes.com
Open sourceNew macOS malware steals sensitive info, including a user’s entire Keychain database
malwarebytes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Atomic macOS Stealer expands via Telegram MaaS and ClickFix social engineering
**Atomic macOS Stealer (AMOS)** has emerged as a leading macOS infostealer sold as a malware-as-a-service offering on Telegram and used in campaigns that rely heavily on social engineering rather than exploits. Researchers found the Golang-based malware distributed in forms including malicious DMG installers and ClickFix-style lures that trick users into running Terminal commands, after which it captures or validates the victim’s macOS password, steals **Keychain** contents, browser credentials, cookies, autofill data, files, Apple Notes, extension storage, session tokens, system information, and cryptocurrency wallet data, then exfiltrates the results to attacker-controlled infrastructure and, in earlier observed versions, Telegram. Operators have advertised AMOS for **$1,000 per month** alongside add-on services such as a victim panel, crypto tooling, and installer support. Sophos said AMOS accounted for nearly **40%** of its macOS protection updates in 2025 and almost half of recent macOS stealer cases seen by customers, underscoring its scale and persistence. In one investigated intrusion, a bootstrap script fetched from `sphereou[.]com` downloaded a second-stage payload, performed anti-analysis checks, registered with command-and-control, and established persistence through a **LaunchDaemon** after obtaining elevated access. Earlier reporting tied AMOS infrastructure to `amos-malware[.]ru`, with exfiltration observed to `/sendlog`, while newer variants increasingly use AI-themed lures, fake installers, cracked apps, repeated password prompts, and fake Ledger and Trezor modules to broaden credential theft and cryptocurrency targeting.
May 25, 2026
Malvertising Campaign Delivers AMOS and Odyssey Stealer via Fake macOS Tool Sites
A sophisticated cybercriminal campaign has been identified targeting macOS users, particularly developers, by leveraging fake download portals that impersonate trusted platforms such as Homebrew, LogMeIn, and TradingView. The attackers have registered over 85 domains that closely mimic the legitimate sites of these popular tools, using convincing branding and user interfaces to deceive visitors. These malicious domains are promoted through Google Ads, ensuring that they appear prominently in search results and increasing the likelihood that unsuspecting users will visit them. Once on the fake sites, users are instructed to copy and execute a curl command in their Terminal, which initiates the download and installation of infostealing malware. The primary payloads delivered in this campaign are AMOS (Atomic macOS Stealer) and Odyssey Stealer, both of which are capable of harvesting sensitive information such as system details, browser data, and cryptocurrency credentials from infected machines. The campaign employs advanced social engineering tactics, including clipboard manipulation and command obfuscation, to increase the success rate of infections. Researchers from Hunt.io have mapped the infrastructure supporting this operation, noting that the attackers reuse IP addresses and SSL certificates across multiple domains, indicating a persistent and well-organized effort. The infrastructure has been active for several years, with some IP addresses registered under personal names, suggesting a degree of operational continuity and experience. The campaign does not rely on exploiting software vulnerabilities but instead exploits user trust in widely used open-source and financial tools. The use of Google Ads as a distribution vector highlights the attackers' willingness to invest in paid advertising to reach their targets. The campaign's focus on the developer community is particularly concerning, as compromised developer systems could lead to broader supply chain risks. Security researchers have emphasized the importance of verifying download sources and being wary of unsolicited installation instructions, especially those involving Terminal commands. The ongoing nature of the campaign, with continuous adaptation of infrastructure and tactics, underscores the need for vigilance among macOS users. The discovery of this campaign began with public reports from independent researchers, which were then corroborated and expanded upon by threat intelligence teams. The scale and persistence of the operation suggest that it is likely to continue evolving, posing a significant threat to the macOS ecosystem. Organizations are advised to educate users about the risks of malvertising and to implement technical controls to block access to known malicious domains. The campaign demonstrates the increasing sophistication of social engineering attacks targeting macOS, a platform often perceived as less vulnerable than Windows.
Mar 21, 2026
Mac Stealers Cuckoo and Atomic Stealer Spread via Fake Homebrew and Malvertising
Researchers reported active distribution of multiple **macOS information stealers**, including newly identified **Cuckoo** malware and an updated **Atomic Stealer** (`AMOS`), through social engineering that impersonates trusted software. Intego said Cuckoo was disguised as **Homebrew**, while Malwarebytes documented Atomic Stealer being delivered through **crack sites** and a **Google malvertising** campaign that spoofed **Slack** for Mac users and dropped **FakeBat** on Windows systems. The campaigns were designed to harvest sensitive data from Apple devices by tricking users into opening malicious DMG files and entering their **system password**. Malwarebytes said the latest AMOS build added **payload encryption** and **string obfuscation** to hinder detection, and was capable of stealing passwords, browser cookies, cryptocurrency wallet data, and other files, with exfiltration observed to `5.42.65[.]108`. The reporting shows continued commercial development of macOS stealers and a growing use of fake software branding to target Mac users.
May 28, 2026