Atomic
Atomic Stealer is a macOS-focused information stealer and malware-as-a-service (MaaS) infostealer linked in the provided content to Russian cybercriminals. It is repeatedly described as one of the most prominent stealer families targeting Apple macOS systems, alongside Poseidon and Odyssey, and as capable of harvesting a wide range of data from compromised hosts, including browser cookies, session cookies, passwords, credentials, and other sensitive information used for account takeover and MFA bypass via stolen web sessions.
The content associates Atomic Stealer with multiple delivery and social-engineering vectors. It has been delivered through paste-and-run / ClickFix-style lures, including fake verification or technical-fix workflows that trick users into executing malicious commands. For macOS specifically, adversaries used fake websites impersonating trusted developer tools such as Homebrew and instructed users to open Spotlight and Terminal to run commands that installed Atomic. The malware was also distributed via booby-trapped disk image files, including a cited example named "Launcher_v1.94.dmg." Additional distribution themes in the content include malicious GitHub repositories posing as OpenClaw installers, fake OpenClaw-related repositories surfaced in search results, malicious skills in OpenClaw ecosystems, AI-hosted ClickFix scams, malicious ads, and free/cracked software.
Atomic is also referenced as part of broader infostealer activity used to steal browser session cookies for resale and follow-on compromise. The content explicitly names Atomic among infostealer families used to harvest cookies from web browsers, enabling attackers to replay valid sessions and access online accounts without passwords. It is cited in discussions of large-scale infostealer-driven credential theft and session hijacking, including theft of web session cookies mapped to browser credential theft activity.
Targeting in the provided material is centered on Apple macOS users, including enterprise and general users seeking developer tools or AI-agent software. The content notes Atomic as part of the growing macOS infostealer ecosystem and repeatedly places it among the top macOS stealers seen in the wild. High-confidence indicators and artifacts directly mentioned in the content include the filename "Launcher_v1.94.dmg," fake Homebrew-themed sites, malicious GitHub repositories masquerading as OpenClaw installers, and distribution through ClickFix-style fake pages and OpenClaw skill marketplaces.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...distribute... information stealers, such as Atomic (AMOS), Lumma, Rhadamanthys... and Vidar..."
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
Some adversaries have used lures designed specifically for macOS users that encourage the user to open Spotlight, then macOS Terminal to execute malicious commands.
In most scenarios, once users interact with the Fix or Verify button in the lure, the button will covertly copy an obfuscated PowerShell command to the clipboard and present the user with “verification steps.”
The adversary is trying to entice the user into verifying or fixing something by typing a command into a terminal, run dialog box, or PowerShell.
The viral popularity of OpenClaw has also led threat actors to capitalize on the phenomenon to distribute malicious GitHub repositories posing as OpenClaw installers to deploy information stealers like Atomic and Vidar Stealer, and a Golang-based proxy malware known as GhostSocks using ClickFix-style instructions.
Stealth
1 technique
Stealth
Credential Access
2 techniques
Credential Access
These stealer malware families – of which there are many, such as Atomic, Lumma, and Vidar Stealer – come with capabilities to harvest a wide range of information from compromised systems, including cookies. | Session theft involves the covert exfiltration of session cookies from the web browser, either by gathering existing ones or waiting for a victim to log in to an account, to an attacker-controlled server.
Collection
1 technique
Collection
Command and Control
1 technique
Command and Control
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware family capable of harvesting data from compromised systems, including session cookies.
An information stealer distributed via malicious GitHub repositories masquerading as OpenClaw installers.
An information-stealing malware for macOS distributed via malicious AI-agent “skills”/plugins in third-party marketplaces (ClawHub/SkillsMP).
Инфостилер, используемый для кражи сессионных cookie, паролей и данных автозаполнения из браузеров с последующей эксфильтрацией на C2 и возможным захватом аккаунтов в обход MFA.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.