Mac Stealers Cuckoo and Atomic Stealer Spread via Fake Homebrew and Malvertising
Researchers reported active distribution of multiple macOS information stealers, including newly identified Cuckoo malware and an updated Atomic Stealer (AMOS), through social engineering that impersonates trusted software. Intego said Cuckoo was disguised as Homebrew, while Malwarebytes documented Atomic Stealer being delivered through crack sites and a Google malvertising campaign that spoofed Slack for Mac users and dropped FakeBat on Windows systems.
The campaigns were designed to harvest sensitive data from Apple devices by tricking users into opening malicious DMG files and entering their system password. Malwarebytes said the latest AMOS build added payload encryption and string obfuscation to hinder detection, and was capable of stealing passwords, browser cookies, cryptocurrency wallet data, and other files, with exfiltration observed to 5.42.65[.]108. The reporting shows continued commercial development of macOS stealers and a growing use of fake software branding to target Mac users.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Intego discovers Cuckoo Mac malware mimicking Homebrew
Intego published research on May 16, 2024, describing a new Mac malware family called Cuckoo that mimicked Homebrew. The reference indicates this was a newly discovered malware threat targeting macOS users.
Google malvertising campaign distributed Atomic Stealer to Mac users
In January 2024, researchers observed a Google malvertising campaign impersonating Slack that delivered FakeBat to Windows users and Atomic Stealer to Mac users. The malicious macOS DMG prompted victims for their system password and enabled theft of passwords, browser cookies, crypto wallet data, and other sensitive files.
Atomic Stealer updated with encryption and obfuscation
Malwarebytes reported that Atomic Stealer (AMOS) was updated in mid-to-late December 2023 to add payload encryption and string obfuscation aimed at evading detection. The report also noted ongoing feature development and commercial promotion by the operators.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AMOS Mac Malware Spreads via Fake Ads and Trojanized macOS Downloads
Researchers reported multiple campaigns distributing macOS infostealers tied to the **AMOS/AtomicStealer** ecosystem, a malware-as-a-service operation that steals credentials, browser data, cryptocurrency wallets, Apple Notes, files, and **Keychain** material from macOS Catalina and newer systems on Intel, M1, and M2 devices. Earlier reporting on related macOS stealers showed operators relying on social engineering, unsigned DMG files, and password prompts to collect sensitive data, package it into archives, and exfiltrate it to command-and-control servers, with some activity also summarized to Telegram channels. More recent campaigns used **malvertising** and fake software or troubleshooting pages to lure users into running Terminal commands that fetched an AMOS variant known as **"malext"**. Investigators said the malware used obfuscated shell commands, `osascript`, quarantine removal, anti-VM and sandbox checks, and in some cases installed persistence through a LaunchDaemon and helper scripts, while also trojanizing Ledger and Trezor applications and capturing administrator passwords. Reporting also linked AMOS delivery to fake **CleanMyMac** sites and AI-themed lures, indicating operators are rapidly rotating ad accounts and adapting infection vectors to broaden theft and remote access on macOS systems.
May 25, 2026
Atomic macOS Stealer Delivered Through Fake Homebrew Page
A malicious advertisement redirected users to a counterfeit Homebrew page that instructed victims to paste text into Terminal, leading to an **Atomic macOS Stealer (AMOS)** infection on macOS systems. The observed chain dropped files into `/tmp` and installed a persistent payload, with supporting artifacts including password-protected ZIP archives, temporary files, and a malware directory used to maintain access after execution. AMOS is a Golang-based macOS information stealer sold through criminal channels and marketed with ongoing updates and operator support. The malware is designed to harvest **Keychain data**, browser credentials, files, cryptocurrency wallet data, and system information, while also using fake password prompts to capture the macOS password before exfiltrating stolen data to command-and-control infrastructure and Telegram; researchers have previously linked the offering to a subscription model that included a victim management panel and other follow-on criminal services.
Jun 14, 2026
macOS Infostealer Campaigns Using Social Engineering and Evasion Tactics
Threat actors are escalating **macOS infostealer** activity through multiple distribution and evasion techniques aimed at harvesting sensitive user data. One campaign abuses trust in legitimate AI platforms by promoting shareable *ChatGPT* and *Grok* conversation links via **Google Ads**, luring users searching for common macOS troubleshooting help into running malicious Terminal commands using the **“ClickFix”** social-engineering pattern. Executing the provided shell commands results in installation of **Atomic macOS Stealer (AMOS)**, which steals browser credentials, crypto wallet seed phrases, **Keychain** data, and personal files before exfiltrating them to attacker-controlled infrastructure. Separately, **Odyssey Stealer** intrusions against macOS have surged globally, with notable targeting reported in the U.S., France, and Spain and additional impact across Europe, the Americas, and parts of Asia and Africa. Moonlock Lab reporting indicates Odyssey is delivered through **fake software updates, cracked tools, and fraudulent apps**, and is designed to evade detection by generating a **unique fingerprint per infection**, frequently changing code structure, and using many distinct **SHA-256** variants—suggesting automated builders are being used to produce large numbers of hard-to-block samples. Collectively, the reporting highlights sustained pressure on macOS users from credential-stealing malware that blends high-trust lures with rapid variant generation to hinder traditional defenses.
Mar 21, 2026