Atomic macOS Stealer Delivered Through Fake Homebrew Page
A malicious advertisement redirected users to a counterfeit Homebrew page that instructed victims to paste text into Terminal, leading to an Atomic macOS Stealer (AMOS) infection on macOS systems. The observed chain dropped files into /tmp and installed a persistent payload, with supporting artifacts including password-protected ZIP archives, temporary files, and a malware directory used to maintain access after execution.
AMOS is a Golang-based macOS information stealer sold through criminal channels and marketed with ongoing updates and operator support. The malware is designed to harvest Keychain data, browser credentials, files, cryptocurrency wallet data, and system information, while also using fake password prompts to capture the macOS password before exfiltrating stolen data to command-and-control infrastructure and Telegram; researchers have previously linked the offering to a subscription model that included a victim management panel and other follow-on criminal services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
AMOS infection chain observed via fake Homebrew page
On 2026-06-09, Malware-Traffic-Analysis.net documented an Atomic macOS (AMOS) Stealer infection chain in which a malicious advertisement redirected users to a fake Homebrew page. The page instructed the victim to paste text into Terminal, leading to files being dropped in /tmp and installation of a persistent AMOS payload.
SophosLabs publishes AMOS indicators of compromise
On 2024-09-06, SophosLabs added a public CSV of indicators of compromise for Atomic macOS Stealer (AMOS) to its GitHub IoCs repository. The IOC set included nine SHA-256 sample hashes, malware-hosting domains, and malvertising-related domains and URL paths tied to AMOS delivery.
Cyble analyzes Atomic macOS Stealer sold on Telegram
On 2023-04-26, Cyble Research and Intelligence Labs published analysis of Atomic macOS Stealer (AMOS), describing it as a Golang-based macOS infostealer marketed on Telegram for $1,000 per month. The report detailed its DMG-based delivery, fake password prompt, theft of keychain, browser, file, wallet, and system data, and exfiltration to a C2 server and Telegram.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Malware-Traffic-Analysis.net - 2026-06-09: Atomic macOS (AMOS) Stealer infection
malware-traffic-analysis.net
Open sourceIoCs/Atomic-infostealer-IOCs.csv at master · sophoslabs/IoCs · GitHub
github.com
Open sourceNew Atomic MacOS Stealer For Sale On Telegram
cyble.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Atomic macOS Stealer expands via Telegram MaaS and ClickFix social engineering
**Atomic macOS Stealer (AMOS)** has emerged as a leading macOS infostealer sold as a malware-as-a-service offering on Telegram and used in campaigns that rely heavily on social engineering rather than exploits. Researchers found the Golang-based malware distributed in forms including malicious DMG installers and ClickFix-style lures that trick users into running Terminal commands, after which it captures or validates the victim’s macOS password, steals **Keychain** contents, browser credentials, cookies, autofill data, files, Apple Notes, extension storage, session tokens, system information, and cryptocurrency wallet data, then exfiltrates the results to attacker-controlled infrastructure and, in earlier observed versions, Telegram. Operators have advertised AMOS for **$1,000 per month** alongside add-on services such as a victim panel, crypto tooling, and installer support. Sophos said AMOS accounted for nearly **40%** of its macOS protection updates in 2025 and almost half of recent macOS stealer cases seen by customers, underscoring its scale and persistence. In one investigated intrusion, a bootstrap script fetched from `sphereou[.]com` downloaded a second-stage payload, performed anti-analysis checks, registered with command-and-control, and established persistence through a **LaunchDaemon** after obtaining elevated access. Earlier reporting tied AMOS infrastructure to `amos-malware[.]ru`, with exfiltration observed to `/sendlog`, while newer variants increasingly use AI-themed lures, fake installers, cracked apps, repeated password prompts, and fake Ledger and Trezor modules to broaden credential theft and cryptocurrency targeting.
May 25, 2026
Mac Stealers Cuckoo and Atomic Stealer Spread via Fake Homebrew and Malvertising
Researchers reported active distribution of multiple **macOS information stealers**, including newly identified **Cuckoo** malware and an updated **Atomic Stealer** (`AMOS`), through social engineering that impersonates trusted software. Intego said Cuckoo was disguised as **Homebrew**, while Malwarebytes documented Atomic Stealer being delivered through **crack sites** and a **Google malvertising** campaign that spoofed **Slack** for Mac users and dropped **FakeBat** on Windows systems. The campaigns were designed to harvest sensitive data from Apple devices by tricking users into opening malicious DMG files and entering their **system password**. Malwarebytes said the latest AMOS build added **payload encryption** and **string obfuscation** to hinder detection, and was capable of stealing passwords, browser cookies, cryptocurrency wallet data, and other files, with exfiltration observed to `5.42.65[.]108`. The reporting shows continued commercial development of macOS stealers and a growing use of fake software branding to target Mac users.
May 28, 2026
AMOS Mac Malware Spreads via Fake Ads and Trojanized macOS Downloads
Researchers reported multiple campaigns distributing macOS infostealers tied to the **AMOS/AtomicStealer** ecosystem, a malware-as-a-service operation that steals credentials, browser data, cryptocurrency wallets, Apple Notes, files, and **Keychain** material from macOS Catalina and newer systems on Intel, M1, and M2 devices. Earlier reporting on related macOS stealers showed operators relying on social engineering, unsigned DMG files, and password prompts to collect sensitive data, package it into archives, and exfiltrate it to command-and-control servers, with some activity also summarized to Telegram channels. More recent campaigns used **malvertising** and fake software or troubleshooting pages to lure users into running Terminal commands that fetched an AMOS variant known as **"malext"**. Investigators said the malware used obfuscated shell commands, `osascript`, quarantine removal, anti-VM and sandbox checks, and in some cases installed persistence through a LaunchDaemon and helper scripts, while also trojanizing Ledger and Trezor applications and capturing administrator passwords. Reporting also linked AMOS delivery to fake **CleanMyMac** sites and AI-themed lures, indicating operators are rapidly rotating ad accounts and adapting infection vectors to broaden theft and remote access on macOS systems.
May 25, 2026